tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: New jsvc (commons-daemon-native); catalina.out is owned by root - WTF?
Date Wed, 01 Dec 2010 21:10:01 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gregor,

On 12/1/2010 5:55 AM, Gregor Schneider wrote:
> And if you take a look into /var/logs, you can see exactly, that the
> logs inside this directory partly don't belong to root as long as they
> are not run within a root-context.
> 
> A good example ist mysql:
> 
> -rw-rw---- 1 mysql adm 344379 2009-09-30 12:13 mysql-full.log

I agree with Mladen: MySQL doesn't actually need root privileges for
anything at all, so this is a good description of your desires, but not
a really great example.

> For the rest, I'm completely with you, and the solutions you pointed
> out will work and already crossed my mind, except that the directory
> is alreday umasked to 0022, still, catalina.out gives
> 
> -rw------- 1 root   root    7395 2010-12-01 11:51 catalina.out

What does "directory is already umasked" mean? AFAIK, you can't umask a
directory. Do you mean you're using sticky bits?

> But what's really puzzling me - and for which I don't have any
> explanation - is, that with the old version of jsvc, catalina.out had
> ${TOMCAT_USER}-ownership (mind you: in the startup-script there's a
> "su ${TOMCAT-USER} before starting jsvc), and to me it seems that this
> has changed with the new version.

Is it possible that if catalina.out already exists and is owned by, say,
"tomcat", that it's ownership will be retained when jsvc opens it for
append? If that's the case, you may have simply deleted the file during
your upgrade and had it re-created by jsvc (owned by root) after the fact.

Can you tell us what version of jsvc you were using in the past, and
what version you're using now?

I can't seem to find a readable changelog on the commons-daemon site. :(
On the other hand, it looks like jsvc hasn't had any changes in years.

> Furthermore, I'd like to give you some insights of a "Real
> Life"-external-managed-services-root-server-installation within a big
> financial corperation:
> 
> Here - and in quite some other companies I do know - it's common
> practice to host the servers externally, having managed services.
> 
> Usually, this implies that you don't have root-access, simply for
> liability-reasons. However, only basic Tomcat-maintenance is done by
> the external hoster, and when deploying new webapps, our developers
> need to be able to read al logs.
> 
> Therefore, such a behaviour as seen by the latest jsvc is making
> developer's life quite complicated.
> 
> Anyhow, I guess I'll go for a chown inside the startup-script for now.

What happens if you do something like this in your startup script:

touch "$CATALINA_OUT"

jsvc -outfile "$CATALINA_OUT"

That ought to create "$CATALINA_OUT" using the current user's
permissions. I'll have to look at the code to see what jsvc tries to do
if the file exists. Or, I could just run it myself :)

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkz2uakACgkQ9CaO5/Lv0PB5lwCeK3ukeoTfh0prHMOfSGB1QqFo
rXQAn1hbFI2e9TY39DfTEWKugm2nVWXj
=SC9Y
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message