tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: running tomcat with root user.....umask in jsvc?
Date Mon, 02 Feb 2009 20:05:15 GMT
André Warnier wrote:
> wrote:
>> You are correct, I found a setting that relaxes the group access 
>> permissions on the jailkit. 
>> Now I just have one more problem.  When tomcat creates files in these 
>> user directories I need the permissions to be set appropriately.  What 
>> is the best way to set the umask value when running tomcat using jsvc?
> That's a good question.
> I don't think jsvc would take any account of the Tomcat user's .profile 
> file.
> ACLs would allow you to do that however :-)
> (Seriously, I believe you can set an ACL on the target directory that 
> would make it so that when this particular user (Tomcat) creates a file 
> there, it has by default a given set of permissions).
> Otherwise, you might have to do some kind of chmod from within your 
> webapp itself, after it creates the file. I don't know what Java method 
> that would be.
Replying to myself : upon further reflection, I am not even sure that 
Java would have a method to do this, since it is supposed to be 
platform-independent, and setting filesystem permissions and group 
ownership is rather on the platform-dependent side.
How often do such upload requests come in ? I'm thinking that if this is 
a single-platform solution, and file uploads don't come up tens per 
second at a time, it may be possible (though I also don't know how) to 
simply execute an OS-level command (chmod 0xxx filename; chgroup xxxxx 
filename) from within a Tomcat webapp, or a servlet filter that would 
run after the webapp.

Otherwise, ACLs are complicated in terms of understanding the 
documentation of setfacl; but once you have it down, it is after all 
only a matter of running a single setfacl command once on each of your 
target directories. And it has the advantage of being done totally 
outside of your webapp, once and for all. It "sticks" to the directory, 
not to your code.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message