tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Udam Dewaraja <udam.dewar...@gmail.com>
Subject Tomcat running with a shared unix group but unable to read files with group permissions
Date Thu, 06 Sep 2012 17:50:30 GMT
Hi all,

I'm stumped on a seemingly java/tomcat related issue and am hoping someone
can provide some help.


We have two users ('user1' and 'user2') on our linux server that share the
same group ('group1'). User 'user1' writes some files that have the
following permissions:

-rw-r----- 1 user1 group1  788 Sep  5 19:42 file.log

The folder containing this file has the following permissions:

drwxr-xr--  2 user1 group1  4096 Sep  5 19:42 log


The tomcat web app is launched as user 'user2'. Below is the ps output for
the process. I've also verified that the java web app is running with gid
of the shared group 'group1'.


user2    31920 31919 99 21:30 ?        00:00:36 /usr/local/jre/bin/java
.... org.apache.catalina.startup.Bootstrap start

When the web app tries to read the file, *it gets the following exception*:

java.io.FileNotFoundException: /foo/bar/data/log/file.log (Permission
denied)
at java.io.RandomAccessFile.open(Native Method)
at java.io.RandomAccessFile.<init>(RandomAccessFile.java:233)
at java.io.RandomAccessFile.<init>(RandomAccessFile.java:118)
        …
at java.lang.Thread.run(Thread.java:679)


However, while logged in as 'user2', I can run a simple
cat /foo/bar/data/log/file.log and* I can read the contents of the file*.

Also, if I provide 'other' read permissions to the file (e.g. -rw-r--r--
1 user1 group1  788 Sep  5 19:42 file.log), *the web app is able to read
the file*.

If I write a sample java application that tries to read this file and
execute it while logged in as 'user2', again *Java is able to read the file.
*


Tomcat doesn't seem to be using any security policy as far as I can tell.
Any ideas why the group permissions seem to be ignored by tomcat?


Thanks!

Udam

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message