tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alan Chaney <>
Subject Re: Permissions of File Created by Tomcat
Date Sun, 20 Apr 2008 18:04:06 GMT
Hi Daniel

Really the issues are to do with the JVM and linux rather more than 
tomcat directly. I can't claim to be a linux guru but you should look at 
it in the following way Any application which runs on linux is 'owned' 
by a user. There two classifications - 'system' users and 'normal' 
users. System users have UIDs which are less than 1024 and can invoke 
privileged services. 'root' is a system (privileged) user.

One issue which often seems to confuse people is that the JVM is a 
program not an operating system. When you 'run tomcat' you are actually 
invoking java on the tomcat bootstrap.jar. See the javadocs for more details.

My point here is that java is 'just another program' to linux, and all 
the permissions rules apply to the user invoking an application. You say 
that tomcat is now running as root (which is a BAD THING) which implies 
that you are:

a. logging in as root and starting tomcat
b. letting tomcat be started by a sys init process.

One decision you must make is whether or not tomcat should be allowed to 
access privileged ports (eg port 80)
If so, then you should start tomcat using something like jsvc (see
which when properly configured will allow you to start an app as root, 
bind tomcat to port 80 and then switch to a 'tomcat' user. You can set 
umask permissions as appropriate in the startup script.

If you intend to run tomcat with its default port of 8080 (or any 
non-privileged port) things are a bit simpler. Create a user on your 
system (maybe 'mytomcat') and then simply start the tomcat 
./bin/ as this user by something like:

su mytomcat -c $JAVA_HOME/bin/

from within the init script.

You can, of course, su to the user you are running the other java 
program as, then tomcat and your app will have the same user privileges 
- or you can create a tomcat group, make this the main group for your 
tomcat user, add it as another group to your 'application' user and set 
the appropriate umask (002) to allow group read/write (you must also set 
the directory permissions accordingly - set the 's' bit)

Please note that these are only pointers not a rigorous set of 
instructions. The reality is that if you want to do anything serious in 
linux you must learn ins and outs of 'bash' and this list is not really 
the place to do that.



Daniel J Hulme wrote:
> Alan, this is very useful, thank you.
> After a bit of Googling I decided to upgrade to Tomcat6 (apparently is has
> less security ussies with Ubuntu). This means that the files/dirs are now
> created (from the tomcat app) by 'root:root' (with the same permissions
> described in my first post).
> However, I still have the same problem. I'm running a java progam (not as
> 'root'), and need write access to these files. And I'm not allowed to run my
> java app as 'root'.
> I'm pretty new to linux, so your help (i.e. command examples) is much
> appreciated.
> Daniel
> Alan Chaney wrote:
>> This is really a linux permissions issue.
>> How are you starting tomcat? with the $TOMCAT_HOME/bin/ or 
>> with jsvc or are you using an ubuntu startup script?
>> You don't say anything about the user who will run the java application.
>> Generally, the way to control the access permissions with which files 
>> are created in linux is to call 'umask' with the correct parameters. As 
>> mentioned before on this list umask is a shell command, so you must do 
>> it at the correct point or severely weaken the overall security of your 
>> installation.
>> You need to do the following:
>> 1. decide which user or users will be executing tomcat and the java 
>> application.
>> 2. If you decide that you need to have two separate users, then make 
>> them both in the same group.
>> 3. Use umask in the tomcat startup script and/or the shell in which you 
>> run your application to set appropriate access permissions - GIYF
>> As an aside, if you are going to have two different processes writing 
>> these shared files you may also have to consider locking issues - maybe 
>> you have already done this.
>> Regards
>> Alan Chaney
>> Daniel J Hulme wrote:
>>> Hi,
>>> I'm running a WebService using Tomcat 5.5 on Ubuntu 7.10 with Axis2.
>>> Files (and directories) are created by this service on a local directory:
>>> /myfiles/
>>> The permission of the new directories and files in this directory are:
>>> Directories: 		'drwxr-xr-x 2 tomcat55 nogroup  4096'
>>> Files:			'-rw-r--r-- 1 tomcat55 nogroup 10041'
>>> The problem is, is I want to access (write) these files using, say, a
>>> java
>>> application, it give me:
>>> /myfiles/aDir/aFile.txt (Permission
>>> denied)
>>> How can I either:
>>> 1.Gain write access to these files (without having to constantly change
>>> the
>>> permissions in the command prompt, and without running my java
>>> application
>>> with 'root' access).
>>> 2.Create the files/dirs from tomcat with 'write access'
>>> 3.Other....
>>> Thanking you in advance.
>>> Daniel
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail:
>> To unsubscribe, e-mail:
>> For additional commands, e-mail:

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message