Affects Version/s: OpenMRS 1.9.3
Fix Version/s: Platform 1.11.0
Per Timothy D. Morgan (Thanks Tim!):
Under Debian Linux using the .war file, the application expects to be able to write runtime properties and other information to:
This directory is not writable by the tomcat7 user, and for good reason. This could be viewed as a simple bug, fixable by a permissions change, but in fact this leads to a security risk. The tomcat user should not have access to write to things under /usr. If it did, a single malicious/compromised web application may be able to
escalate privileges. Certainly the .OpenMRS directory is somewhat isolated, and a smart user would provide tomcat with permissions only to this directory. However, it isn't so far fetched to imagine a user
chown -R tomcat7 /usr/share/tomcat7/
Ultimately, the runtime properties should be written to a sane place, such as /var/lib/tomcat7/webapps/openmrs/. Under normal conditions, tomcat7 would have access to this. I have attempted to override the default behavior based on the environment variable mentioned here:
But this did not work. It seems to ignore the environment variable.
Consider using Java System properties to determine the path to the webapps dir, or the deployed application's directory and use that instead.