# [SOLVED] Tomcat and /proc problems

## M.A.

I was tempted to post this under 'kernel & hardware' but as it seems it isn't a kernel issue, then here it is.

I have just encountered a strange problem with the /proc filesystem and tomcat. I became aware of this problem when trying to get a jstack dump (running sudo -u tomcat jstack -l PID). It fails with a 'well-known file is not secure error', so I launched jstack with strace.

The tomcat user cannot access the exe, cwd or root symbolic links under the /proc/PID directory for that process. The symbolic links appear as broken and if I try to 'cd /proc/PID/cwd' I get an "access denied" error (as I saw with strace). However, with processes other than tomcat (even other java processes) owned by the same tomcat user, this doesn't happen.

The superuser does have access to this files, whose owner is of course the tomcat user.

Moreover, in a slightly older system this does work as expected. There are obvious differences between the two systems:

* Old:

  - gentoo sources 2.6.32-r7

  - sun jdk 1.6.0.20

  - tomcat 6.0.28

* New

  - gentoo sources 2.6.37

  - sun jdk 1.6.0.22

  - tomcat 6.0.29-r1

Not very significant differences. Also, kernel configuration is pretty alike.

However, I've tried in the new system the kernel, jdk and tomcat versions that run in the old one, but it still doesn't work. Even the kernel configuration is identical, as the hardware is very similar. Also, the tomcat configuration and the webapplications are exactly the same.

So now I cannot find what could be causing this strange behaviour. Do you have any clue about this?

Thank you very much in advance.Last edited by M.A. on Tue Feb 22, 2011 9:18 am; edited 1 time in total

----------

## M.A.

OK, problem solved.

This was due to the init.d file... It seems that the --chuid option for start-stop-daemon changes the owner of the process when it is already running so the file permissions of the symbolic links in /proc/PID/ don't get updated.

Although I was working with modern versions of tomcat, my /etc/init.d/tomcat-6 was old (I was using the tomcat.init instead of the tomcat.init.2 file from portage). However, I was using this old file because the new one did not work for me, nor it does now. With the newer tomcat.init.2, when I start tomcat, I always get an error (although tomcat starts):

```

/etc/init.d/tomcat-6 start

 * Starting Tomcat ...                                [ !! ]

```

So I picked the old file as it worked for me. Now, as neither file work for me, I've just picked the old one and modified it slightly to make it work, as follows:

```

--- /usr/portage/www-servers/tomcat/files/6/tomcat.init 2008-12-20 19:36:58.000000000 +0100

+++ tomcat.init 2011-02-22 10:11:03.000000000 +0100

@@ -46,9 +46,8 @@

        shift

        local arguments="--start --quiet \

                --chdir "${CATALINA_TMPDIR}" \

-               --chuid ${CATALINA_USER}:${CATALINA_GROUP} \

                --make-pidfile --pidfile /var/run/tomcat-6.pid"

-       start-stop-daemon ${arguments} --exec ${executor} -- ${OPTS_CP} "$@" \

+       start-stop-daemon ${arguments} --exec /usr/bin/setuidgid ${CATALINA_USER} ${executor} -- ${OPTS_CP} "$@" \

                ${CATALINA_ARGS} ${TOMCAT_START} >> "${CATALINA_BASE}"/logs/catalina.out 2>&1 &

        return $?

 }

```

Now tomcat start and stops fine and I can get jstack working. I don't know if this change would be approved as it is using an "external" app: setuidgid from daemontools.

Anyway, regarding the "new" tomcat.init.2 that does not work, it seems to be related to this bug: 355493, so for now I will stick with my slightly changed init.d script.

----------

