Package: jetty9
Version: 9.4.16-0+deb10u1
Severity: important
On a default jetty9 install, the systemd unit file restricts readwrite
operations to /var/lib/jetty9/ using the systemd ProtectSystem and
ReadWritePaths options.
The complaint is that this is way too strict for normal operation and daily
use of jetty. E.g. when roughly following the installation instructions for a
popular SAML IdP Shibboleth [1] the default installation directory is /opt/
shibboleth-idp, called idp.home. The default logfiles and metadata directory
are %{idp.home}/logs and %{idp.home}/metadata, which prevents Shibboleth from
correctly logging messages and saving metadata after start.
Especially not being able to log to ${idp.home}/log made debugging this
problem extremely hard and time consuming. The solution/work-around was to
create an override unit for jetty9 that disables ProtectSystem(=no) and
ReadWritePaths(=)
Please reconsider the ProtectSystem option in jetty9's systemd unit file.
Best regards,
Martin
[1] https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1274544254/Jetty94
