tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andres Riancho <andres.rian...@gmail.com>
Subject Tomcat log files - Strict permissions - setuid
Date Thu, 03 Dec 2015 13:42:40 GMT
List,

    I'm trying to secure my tomcat instances. One of the steps I took
was to run the tomcat process using the non-privileged "tomcat" user,
and set the file system permissions as restrictive as possible. It all
works well, but there is something missing: "The tomcat user is able
to read the access log files":

root@7083cdc8e2fc:/apps/tomcat/logs# ls -la
...
-rw-rw----  1 tomcat tomcat    0 Dec  1 19:46 0.0.0.0_access_log.2015-12-01.txt

    Is there any way to configure tomcat to be able to write to the
access log file, but have the file owned by root with permissions 600?
I understand that this is done by starting the tomcat process as root
and then dropping privileges using setuid() , but was unable to find
something already built / well documented.

    Ideas?

Regards,
-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message