Return-Path: 
 <users-return-236473-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org>
X-Original-To: apmail-tomcat-users-archive@www.apache.org
Delivered-To: apmail-tomcat-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 2CE57DA22
	for <apmail-tomcat-users-archive@www.apache.org>;
 Fri,  7 Sep 2012 10:27:03 +0000 (UTC)
Received: (qmail 79990 invoked by uid 500); 7 Sep 2012 10:26:59 -0000
Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org
Received: (qmail 79822 invoked by uid 500); 7 Sep 2012 10:26:54 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 79781 invoked by uid 99); 7 Sep 2012 10:26:52 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 07 Sep 2012 10:26:52 +0000
X-ASF-Spam-Status: No, hits=-0.0 required=5.0
	tests=SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of benko_peter@vseit.sk
 designates 193.193.170.1 as permitted sender)
Received: from [193.193.170.1] (HELO mailgw.vse.sk) (193.193.170.1)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 07 Sep 2012 10:26:46 +0000
Received: from [10.106.77.131] (HELO vse.sk)
  by mailgw.vse.sk (CommuniGate Pro SMTP 5.3.8 _community_)
  with ESMTP id 32600891 for users@tomcat.apache.org;
 Fri, 07 Sep 2012 12:26:24 +0200
Received: from dilema.vse.sk (account mta@vseit.sk [10.106.68.14] verified)
  by vse.sk (CommuniGate Pro SMTP 5.4.5)
  with ESMTPSA id 33245924 for users@tomcat.apache.org;
 Fri, 07 Sep 2012 12:26:24 +0200
Received: from benkop by dilema.vse.sk with local (Exim 4.72)
	(envelope-from <benkop@dilema.vse.sk>)
	id 1T9vlX-0000jL-Kj
	for users@tomcat.apache.org; Fri, 07 Sep 2012 12:26:23 +0200
Date: Fri, 7 Sep 2012 12:26:23 +0200
From: Peter Benko <benko_peter@vseit.sk>
To: users@tomcat.apache.org
Subject: Re: Tomcat running with a shared unix group but unable to read
 files with group permissions
Message-ID: <20120907102623.GA2752@dilema.vse.sk>
References: 
 <CAE+y=FLMs3wHb8zD6Z+khQKpXa_N3oGEV-bw9U3BnJPqztkL2w@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: 
 <CAE+y=FLMs3wHb8zD6Z+khQKpXa_N3oGEV-bw9U3BnJPqztkL2w@mail.gmail.com>
X-Virus-Checked: Checked by ClamAV on apache.org

On Thu, Sep 06, 2012 at 10:50:30AM -0700, Udam Dewaraja wrote:
> Hi all,
> 
> I'm stumped on a seemingly java/tomcat related issue and am hoping someone
> can provide some help.
> 
> 
> We have two users ('user1' and 'user2') on our linux server that share the
> same group ('group1'). User 'user1' writes some files that have the
> following permissions:
> 
> -rw-r----- 1 user1 group1  788 Sep  5 19:42 file.log
> 
> The folder containing this file has the following permissions:
> 
> drwxr-xr--  2 user1 group1  4096 Sep  5 19:42 log
> 
> 
> The tomcat web app is launched as user 'user2'. Below is the ps output for
> the process. I've also verified that the java web app is running with gid
> of the shared group 'group1'.
> 
> 
> user2    31920 31919 99 21:30 ?        00:00:36 /usr/local/jre/bin/java
> .... org.apache.catalina.startup.Bootstrap start
> 
> When the web app tries to read the file, *it gets the following exception*:
> 
> java.io.FileNotFoundException: /foo/bar/data/log/file.log (Permission
> denied)
> at java.io.RandomAccessFile.open(Native Method)
> at java.io.RandomAccessFile.<init>(RandomAccessFile.java:233)
> at java.io.RandomAccessFile.<init>(RandomAccessFile.java:118)
>         …
> at java.lang.Thread.run(Thread.java:679)
> 
> 
> However, while logged in as 'user2', I can run a simple
> cat /foo/bar/data/log/file.log and* I can read the contents of the file*.
> 
> Also, if I provide 'other' read permissions to the file (e.g. -rw-r--r--
> 1 user1 group1  788 Sep  5 19:42 file.log), *the web app is able to read
> the file*.
> 
> If I write a sample java application that tries to read this file and
> execute it while logged in as 'user2', again *Java is able to read the file.
> *
> 
> 
> Tomcat doesn't seem to be using any security policy as far as I can tell.
> Any ideas why the group permissions seem to be ignored by tomcat?
> 

Please try to check ulimit (pam) settings in your OS.

-- 
Peter Benko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org