tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gregor Schneider <>
Subject Re: New jsvc (commons-daemon-native); catalina.out is owned by root - WTF?
Date Wed, 01 Dec 2010 16:31:23 GMT
Hi André,

long time no see ;)

On Wed, Dec 1, 2010 at 12:20 PM, André Warnier <> wrote:
> As far as I know, these startup scripts are created by the packagers of
> Debian, RedHat etc.. when they wrap Tomcat in a platform-specific package.
> /They/ are the ones who decide how they call up jsvc, where the logfiles go,
> under what permissions etc..

That's actually not the case:

The startaup-script for Tomcat native comes with the jscv-sources,
meaning it's *not* some pre-packaged Debian-thing.

However, I guess I know what's going on:

The script is started from user Tomcat via "sudo". One parameter for
jsvc is the parameter "user".

When invoking jsvc with "--help", is says:

----- [ cut] --------
    -user <user>
        user used to run the daemon (defaults to current user)
----- [ cut] --------

Seems somehow to work, since a

ps -aux | more | grep tomcat


tomcat   29386  0.9  3.4 1651348 139244 ?      Sl   16:31   0:25
jsvc.exec -user tomcat -home /home/tomcat/local/jdk15/
-Dlog4j.configuration=log4j.xml -wait 10 -pidfile /var/run/
-outfile /home/tomcat/local/tomcat55//logs/catalina.out -errfile &1
-Xmx1024m -XX:PermSize=256m -XX:+DisableExplicitGC
-Xdebug -Xrunjdwp:transport=dt_socket,address=8787,server=y,suspend=n
-cp /home/tomcat/local/jdk15//lib/tools.jar:/home/tomcat/local/tomcat55//bin/commons-daemon.jar:/home/tomcat/local/tomcat55//bin/bootstrap.jar

So you can clearly see, that the process is started from user
"tomcat", although the startup-script is started in root-context (due
to the "sudo"-command).

jsvc is *not* forking a jvm, but wrapping it and starting it with it's
own user-context, although it's supposed to change the user-context
according to the help-text I've listed above.

And I would be so picky if it had the same behaviour with version
5.5.20, but in 5.5.20 catalina.out had tomcat-ownership.

So it seems, somebody changed something here, and I'm even too dumb to
find anything in the changelogs, which I wouldn't like at all, either
being a tomcat-user or a comitter...

For the time being, I put this little fix into the startup-script, but
still, I'm not too happy with this hack:

# workaround to prevent root-ownership for catalina.out
if [ ! -f $CATALINA_HOME/logs/catalina.out ]; then
    touch $CATALINA_HOME/logs/catalina.out
    chown $TOMCAT_USER $CATALINA_HOME/logs/catalina.out
    OWNER=`ls -l $CATALINA_HOME/logs/catalina.out | grep $TOMCAT_USER`
    if [ -z "$OWNER" ]; then
        chown $TOMCAT_USER:$TOMCAT_USER $CATALINA_HOME/logs/catalina.out
# end workaround


just because you're paranoid, don't mean they're not after you...
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message