We Keep Coding

Allow non-root to run /usr/bin/pdftk in cPanel... getting "/usr/bin/pdftk: line 8: /usr/share/java-utils/java-functions: No such file or directory"

The Problem
The command
I own my own WHM/cPanel server and want to execute pdftk as someuser, a non-root user.
/usr/bin/pdftk '/home/someuser/public_html/form/Form.pdf' fill_form '/home/someuser/public_html/form/results/Registration.xfdf' output '/home/someuser/public_html/form/results/Registration.pdf'
The error
If I run that command as the user root it works, but when running this as the user someuser I get the following error.
/usr/bin/pdftk: line 8: /usr/share/java-utils/java-functions: No such file or directory
Details
Permissions for the files involved
-rwxr-xr-x root root /usr/bin/pdftk
-rw-r--r-- someuser someuser /home/someuser/public_html/form/Form.pdf
-rw-r--r-- someuser someuser /home/someuser someuser/public_html/form/results/Registration.xfdf
-rw-r--r-- someuser someuser /home/someuser someuser/public_html/form/results/Registration.pdf
Server/software details
CloudLinux v7.9.0
cPanel & WHM v102.0.8 (STANDARD)
pdftk-java.noarch 3.3.2-1.el7 #epel ... is what I get from yum list installed | grep pdftk
Thoughts on a solution
To run a non-native program like /usr/bin/pdftk as a user other than root requires specific CloudLinux or WHM/cPanel permissions to be added and I can't remember how to do that. It takes more than just a chmod... I believe that the program has to be added to a list of approved programs for all cPanel users to run kind of thing, but need help to find how to do that again, of course assuming that's the real problem???

Jenkins startup error: jenkins.model.InvalidBuildsDir: does not contain ${ITEM_FULL_NAME} or ${ITEM_ROOTDIR}, cannot distinguish between projects

Help please. In our workflow we only work with pre-packaged offline deploys where we do not have root access and therefore use supervisord to stop start ALL packages. We deploy all our packages under a user account. I have created a custom Jenkins package. Its basically its a folder containing the Jenkins war file and configurations from when I tool a vanilla initial setup.
My installation has worked up until now. Seems trying to get things running for the first time seems flaky. Once running Jenkins is fine. This time I am trying to deploy the packages (they have not changed) however I cannot start Jenkins and get and error:
jenkins.model.InvalidBuildsDir: does not contain ${ITEM_FULL_NAME} or ${ITEM_ROOTDIR}, cannot distinguish between projects
So what I did was get a clean fresh install running and packaged it up. Basically I untar the jenkins directory then use supervisord to control start/stop.
Supervisord config:
[program:jenkins]
autorestart = true
autostart = true
command = /bin/bash -c "set JENKINS_HOME=/opt/home/svc_user/opskit/jenkins; /opt/home/svc_user/opskit/jdk/bin/java -Djava.awt.headless=true -Djenkins.model.Jenkins.buildsDir=/opt/home/svc_user/data/jenkins/builds/${ITEM_FULL_NAME} -Djenkins.model.Jenkins.workspacesDir=/opt/home/svc_user/data/jenkins/workspace/${ITEM_FULL_NAME} -jar /opt/home/svc_user/opskit/jenkins/bin/jenkins.war -path=/opt/home/svc_user/opskit/jenkins"
directory = /opt/home/svc_user/opskit/jenkins
redirect_stderr = true
stdout_logfile = /opt/home/svc_user/opskit/log/jenkins.log
stdout_logfile_backups = 5
stdout_logfile_maxbytes = 10MB
stopwaitsecs = 300
Full error:
jenkins.model.InvalidBuildsDir: /opt/home/svc_user/data/jenkins/builds does not contain ${ITEM_FULL_NAME} or ${ITEM_ROOTDIR}, cannot distinguish between projects
at jenkins.model.Jenkins.checkRawBuildsDir(Jenkins.java:3179)
at jenkins.model.Jenkins.setBuildsAndWorkspacesDir(Jenkins.java:3135)
at jenkins.model.Jenkins.loadConfig(Jenkins.java:3123)
Caused: java.io.IOException
at jenkins.model.Jenkins.loadConfig(Jenkins.java:3125)
at jenkins.model.Jenkins.access$1200(Jenkins.java:320)
at jenkins.model.Jenkins$13.run(Jenkins.java:3219)
at org.jvnet.hudson.reactor.TaskGraphBuilder$TaskImpl.run(TaskGraphBuilder.java:169)
at org.jvnet.hudson.reactor.Reactor.runTask(Reactor.java:296)
at jenkins.model.Jenkins$5.runTask(Jenkins.java:1133)
at org.jvnet.hudson.reactor.Reactor$2.run(Reactor.java:214)
at org.jvnet.hudson.reactor.Reactor$Node.run(Reactor.java:117)
at jenkins.security.ImpersonatingExecutorService$1.run(ImpersonatingExecutorService.java:59)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused: org.jvnet.hudson.reactor.ReactorException
at org.jvnet.hudson.reactor.Reactor.execute(Reactor.java:282)
at jenkins.InitReactorRunner.run(InitReactorRunner.java:50)
at jenkins.model.Jenkins.executeReactor(Jenkins.java:1166)
at jenkins.model.Jenkins.<init>(Jenkins.java:966)
at hudson.model.Hudson.<init>(Hudson.java:85)
at hudson.model.Hudson.<init>(Hudson.java:81)
at hudson.WebAppMain$3.run(WebAppMain.java:233)
Caused: hudson.util.HudsonFailedToLoad
at hudson.WebAppMain$3.run(WebAppMain.java:250)
Jenkins config.xml:
<workspaceDir>/opt/home/svc_user/data/jenkins/workspace/${ITEM_FULL_NAME}</workspaceDir>
<buildsDir>/opt/home/svc_user/data/jenkins/builds/${ITEM_FULL_NAME}</buildsDir>
Folder permissions (install dir):
lrwxrwxrwx 1 svc_user svc_user 39 Jun 4 02:51 jenkins -> /opt/home/svc_user/opskit/jenkins-2.222.3
drwxr-xr-x 13 svc_user svc_user 4096 May 1 05:07 jenkins-2.222.3
Folder permissions (custom dir for builds and workspaces):
lrwxrwxrwx 1 svc_user svc_user 37 Jun 4 02:51 jenkins -> /opt/home/svc_user/data/jenkins-2.222.3
drwxr-xr-x 4 svc_user svc_user 37 Jun 4 16:39 jenkins-2.222.3
|-nginx-1.16.1
|-jdk-8u91
|-jenkins-2.222.3
| |-builds
| |-workspace
Help would be greatly appreciated. Thank you in advance.

Modified this:
command = /bin/bash -c "JENKINS_HOME=/opt/home/svc_user/opskit/jenkins /opt/home/svc_user/opskit/jdk/bin/java...
^^
Nothing to do with the fix, just launches 1 java process instead of 2.
Deleted:
-Djenkins.model.Jenkins.buildsDir=/opt/home/svc_user/data/jenkins/builds/${ITEM_FULL_NAME}
-Djenkins.model.Jenkins.workspacesDir=/opt/home/svc_user/data/jenkins/workspace/${ITEM_FULL_NAME}
^^
Fixed my startup issue. Not sure why these had no negative effects on previous installations.
Also deleted:
path=/opt/home/svc_user/opskit/jenkins
Seemed isnt necessary.
¯_(ツ)_/¯

How to configure current working directory in Tomcat?

I recently migrated a tomcat application from one Linux server to another. Since then, I am facing a new file creation issue on the new server. In the new server, when I try to create a file it fails, which works fine in the old server:
File convFile = new File(file.getOriginalFilename());
convFile.createNewFile(); //this FAILS
FileOutputStream fos = new FileOutputStream(convFile);
fos.write(file.getBytes());
fos.close();
To investigate the issue, I printed the working directory using:
String cwd = new File("").getAbsolutePath();
System.out.println(cwd);
And this debugging revealed the root cause behind the issue:
The old server returned: var/lib/tomcat, whereas the new server returned: / (the root directory)
As the tomcat user did not (and should not) have write permission on root directory, it failed to create the file.
My question, which factor decides the current working directory of Tomcat, and how to configure it?
Here are my Tomcat and java environment variables.
Environment="JAVA_HOME=/usr/lib/jvm/jre"
Environment="JAVA_OPTS=-Djava.security.egd=file:///dev/urandom"
Environment="CATALINA_BASE=/opt/tomcat"
Environment="CATALINA_HOME=/opt/tomcat"
Update: I tried -Duser.dir to configure the working directory. After using this, I get expected result from System.out.println(cwd);. But the issue still persists, the file creation fails. apparently, this does not work for FileOutputStreams.
Source: Changing the current working directory in Java?
The ownership and permissions are handled properly. I am looking for a system-side solution without making any code change, as the same code is working in the old server.

I'm doing startup with systemd on RHEL 8.3.
For that, I found that adding this stanza before the ExecStart got desired result:
WorkingDirectory=/data/desired/catalina_base
YMMV with other flavours and startup options - just use absolute path for both ExecStart & WorkingDirectory
Full platform:
Server version name: Apache Tomcat/9.0.54
Server built: Sep 28 2021 13:51:49 UTC
Server version number: 9.0.54.0
OS Name: Linux
OS Version: 4.18.0-240.22.1.el8_3.x86_64
Architecture: amd64
Java Home: /usr/lib/jvm/java-11-openjdk-11.0.10.0.9-4.el8_3.x86_64
JVM Version: 11.0.10+9-LTS
JVM Vendor: Red Hat, Inc.

FitNesse throws FileNotFoundException

I have downloaded fitnesse-standalone.jar, and tried to run using below command
java -jar fitnesse-standalone.jar
Unfortunately I am getting below exception,
C:\Program Files (x86)\Java\jdk1.6.0_14\bin>java -jar fitnesse-standalone.jar
Mar 18, 2014 4:16:54 PM fitnesse.ConfigurationParameter loadProperties
INFO: No configuration file found (C:\Program Files (x86)\Java\jdk1.6.0_14\bin\p
lugins.properties)
root page: fitnesse.wiki.fs.FileSystemPage at ./FitNesseRoot
logger: none
authenticator: fitnesse.authentication.PromiscuousAuthenticator
page factory: fitnesse.html.template.PageFactory
page theme: fitnesse_straight
Starting FitNesse on port: 80
Exception in thread "main" java.io.FileNotFoundException: .\FitNesseRoot\updateL
ist (The system cannot find the path specified)
at java.io.FileOutputStream.open(Native Method)
at java.io.FileOutputStream.<init>(FileOutputStream.java:179)
at java.io.FileOutputStream.<init>(FileOutputStream.java:131)
at fitnesse.updates.FileUpdate.copyResource(FileUpdate.java:45)
at fitnesse.updates.FileUpdate.doUpdate(FileUpdate.java:31)
at fitnesse.updates.UpdaterImplementation.getUpdateFilesFromJarFile(Upda
terImplementation.java:71)
at fitnesse.updates.UpdaterImplementation.createUpdateAndDoNotCopyOverLi
sts(UpdaterImplementation.java:62)
at fitnesse.updates.UpdaterImplementation.<init>(UpdaterImplementation.j
ava:21)
at fitnesseMain.FitNesseMain.update(FitNesseMain.java:66)
at fitnesseMain.FitNesseMain.launchFitNesse(FitNesseMain.java:59)
at fitnesseMain.FitNesseMain.launchFitNesse(FitNesseMain.java:48)
at fitnesseMain.FitNesseMain.main(FitNesseMain.java:32)
Please help!
Regards
Rajib

You need to point to the directory where the fitnesse-standalone jar is located in. Also, there's is a good chance that port 80 is already being used. Therefore, try using a different port using the -p option in that case.
Example: -jar C:/fitnesse-standalone.jar -p 8081

You may want to run java -jar fitnesse-standalone.jar from the directory where you copied a file fitnesse-standalone.jar.
To avoid an error of running java you need to add java folder to the environment variables.

Hudson fails to use unix user/group to do authentication

I'm trying to use unix user/group database as security realm of hudson. The linux server is using NIS for user management. My account could login the hudson server via ssh.
And the hudson server is running by user 'hudson' that is also a member of group 'shadow', so hudson could read /etc/shadow. And I tested the configuration using 'test' button, hudson tells me it works well.
But I can't use my unix account and password to login the hudson sever.
And I found below java exception in the log of hudson,
Jan 12, 2011 8:23:42 AM hudson.security.AuthenticationProcessingFilter2 onUnsuccessfulAuthentication
INFO: Login attempt failed
org.acegisecurity.BadCredentialsException: pam_authenticate failed : Authentication failure; nested exception is org.jvnet.libpam.PAMException: pam_authenticate failed : Authentication failure
at hudson.security.PAMSecurityRealm$PAMAuthenticationProvider.authenticate(PAMSecurityRealm.java:100)
at org.acegisecurity.providers.ProviderManager.doAuthentication(ProviderManager.java:195)
at org.acegisecurity.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:45)
at org.acegisecurity.ui.webapp.AuthenticationProcessingFilter.attemptAuthentication(AuthenticationProcessingFilter.java:71)
at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:252)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.ui.basicauth.BasicProcessingFilter.doFilter(BasicProcessingFilter.java:173)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:66)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164)
at winstone.FilterConfiguration.execute(FilterConfiguration.java:195)
at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:368)
at winstone.RequestDispatcher.forward(RequestDispatcher.java:333)
at winstone.RequestHandlerThread.processRequest(RequestHandlerThread.java:244)
at winstone.RequestHandlerThread.run(RequestHandlerThread.java:150)
at java.lang.Thread.run(Thread.java:595)
Caused by: org.jvnet.libpam.PAMException: pam_authenticate failed : Authentication failure
at org.jvnet.libpam.PAM.check(PAM.java:105)
at org.jvnet.libpam.PAM.authenticate(PAM.java:123)
at hudson.security.PAMSecurityRealm$PAMAuthenticationProvider.authenticate(PAMSecurityRealm.java:90)
... 18 more
Update on Jan. 17,
The host is RHEL 4.5, and I created user and group shadow, then add hudson into group shadow.
-bash-3.00$ cat /etc/redhat-release
Red Hat Enterprise Linux WS release 4 (Nahant Update 5)
-bash-3.00$ ll /etc/shadow
-r--r----- 1 root shadow 1114 Jan 4 11:37 /etc/shadow
-bash-3.00$ cat /etc/group |grep shadow
shadow:x:44:hudson
I also tried to setup hudson on another RHEL 4.8 host. This time I ran the hudson by root,
kzhu0#pek-wb-rhws4_32:~$ ps -ef|grep hudson
root 18764 29161 0 Jan14 pts/5 00:00:33 /usr/bin/java -Dcom.sun.akuma.Daemon=daemonized -Djava.awt.headless=true -DHUDSON_HOME=/var/lib/hudson -jar /usr/lib/hudson/hudson.war --logfile=/var/log/hudson/hudson.log --daemon --httpPort=8080 --debug=5 --handlerCountMax=100 --handlerCountMaxIdle=20
kzhu0 22404 18833 0 10:52 pts/2 00:00:00 grep hudson
kzhu0#pek-wb-rhws4_32:~$ cat /etc/redhat-release
But I still don't have luck to get unix user/password group work. And I can't find any pam error message in /var/log/messages and /var/log/secure. It looks like hudson throws the exception before actually using pam to get authentication.
Red Hat Enterprise Linux WS release 4 (Nahant Update 8)

I find the solution after debugging the code of libpam4j that is used by hudson for PAM security realm.
the service name must be 'sshd' in my case, because I want to use NIS to do authentication. RHEL 4.x uses the pam 0.77, it strictly depends on the service name specified by hudson. However my Ubuntu 10.04 accepts any meaningless service name, which uses pam 1.1.1.
the user who runs the hudson must have the permission to read the service file of pam, /etc/pam.d/sshd is the file in my case

In my case, ubuntu 10.04 Ihad to use ssh instead of sshd for the Service Name

I have struggled with this problem for many hours. At the end what worked for me:
1. Add 'hudson' user to root and shadow groups
2. Install sshd (missing in /etc/pam.d).
3. Set PAM service to login.
Then I could login to Hudson with Unix account and execute build as Unix user.
I think point 1 is the one which fixed issue.