tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Apps deployed with tomcat manager: No +w to group.Why?
Date Wed, 10 Mar 2010 10:51:46 GMT
Jimmy Spam wrote:
> 
> Please, excuse my poor english.
It sounds fine.
> 
> When I deploy an java app (.war file) with tomcat manager, it create the 
> folder of this app inside of webapps with user: tomcat, group: tomcat  
> and permissions 750. I need, at least, have write privilege for group 
> (770), since some user of my system (wich are inside of tomcat group), 
> need can modify files of the apps.
> 
> Can I change this behavior?
> 
Hi.

Maybe not directly in Tomcat (although since it is open-source, you 
could modify the Manager application yourself).

But if you are under Linux, and the filesystem where Tomcat resides 
allows it (supports ACL), there is another way (ACL) : look up the commands
setfacl, getfacl etc..
The point is : you can set permissions for the webapps 
directory/subdirectory, which will override what the Manager says.
Be prepared : these commands are a bit hard to understand; but they work.

Make sure that you understand the security implications of what you are 
doing, and make sure the Manager itself is well-protected.  It has been 
used in the past for attacks, to upload applications which in turn act 
as Trojans e.g.

Also, in the above, the logic itself of your requirement does raise some 
doubts : apparently thus, you deploy an application from a .war file 
through the Manager. This generates (explodes) a series of directories 
and files under tomcat/webapps.
And then, you allow some people to go and modify these files directly.
You probably know what you are doing, but as a general mechanism that 
does not sound like a very safe/consistent thing to do. For example, it 
means that if someone modifies a file, and then the application is 
redeployed using the Manager, the changes are lost.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message