tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mark H. Wood" <mw...@IUPUI.Edu>
Subject Re: Tomcat log files - Strict permissions - setuid
Date Thu, 03 Dec 2015 14:14:13 GMT
On Thu, Dec 03, 2015 at 10:42:40AM -0300, Andres Riancho wrote:
> List,
> 
>     I'm trying to secure my tomcat instances. One of the steps I took
> was to run the tomcat process using the non-privileged "tomcat" user,
> and set the file system permissions as restrictive as possible. It all
> works well, but there is something missing: "The tomcat user is able
> to read the access log files":
> 
> root@7083cdc8e2fc:/apps/tomcat/logs# ls -la
> ...
> -rw-rw----  1 tomcat tomcat    0 Dec  1 19:46 0.0.0.0_access_log.2015-12-01.txt

One fancier approach would be to configure a log sink which passes
records to another process through a socket -- syslog, for example.
There are syslog Handler implementations for java.util.logging, or you
could cook up a custom log recorder to receive from the stock
j.u.l.SocketHandler, or you could configure Tomcat to use
slf4j/logback and its syslog appender.  This will not be simple but it
will be quite adaptable.  You should probably look at simpler methods
first.

>     Is there any way to configure tomcat to be able to write to the
> access log file, but have the file owned by root with permissions 600?
> I understand that this is done by starting the tomcat process as root
> and then dropping privileges using setuid() , but was unable to find
> something already built / well documented.

That is what the Commons Daemon tool (jsvc) is for.  That should be a
lot simpler.

-- 
Mark H. Wood
Lead Technology Analyst

University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu

Mime
View raw message