Describe the Enhancement

By default, Tomcat has the permissions on bin/catalina.sh as 750. That means user can read/write/execute and group can read/execute. There are no world permissions. This is intentional and done by upstream Tomcat.

In most cases this should be fine because your application will run as a user that is in the cnb group, which is the group that owns catalina.sh and means by default this will be executable.

There are some environments where the uid/gid of the running container are randomly generated. Buildpacks does not officially support changing the gid, but we can add a feature flag here that will enable world read+execute and it should enable Tomcat to work in this environment.

A test to verify this is working correctly:

1. Build the app image with this new setting enabled
2. Run the app image with docker run -u 65300:65301 ... (or pick any random uid:gid combination). The app should start and run Tomcat.

Possible Solution

Add a configuration option env variable, like BP_RELAX_TOMCAT_PERMISSIONS, which defaults to false. By default, nothing should happen. When enabled, this setting should chmod the bin/catalina.sh file (and possibly others) to be world read+execute.

Motivation

Support runtime environments with very restrictive user/group id requirements.

https://github.com/orgs/paketo-buildpacks/discussions/240#discussioncomment-8080853