tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andres Riancho <>
Subject Tomcat log files - Strict permissions - setuid
Date Thu, 03 Dec 2015 13:42:40 GMT

    I'm trying to secure my tomcat instances. One of the steps I took
was to run the tomcat process using the non-privileged "tomcat" user,
and set the file system permissions as restrictive as possible. It all
works well, but there is something missing: "The tomcat user is able
to read the access log files":

root@7083cdc8e2fc:/apps/tomcat/logs# ls -la
-rw-rw----  1 tomcat tomcat    0 Dec  1 19:46

    Is there any way to configure tomcat to be able to write to the
access log file, but have the file owned by root with permissions 600?
I understand that this is done by starting the tomcat process as root
and then dropping privileges using setuid() , but was unable to find
something already built / well documented.


Andrés Riancho
Project Leader at w3af -
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message