Return-Path: <users-return-258696-archive-asf-public=cust-asf.ponee.io@tomcat.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id DD0E3200B5B
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Fri,  5 Aug 2016 13:25:01 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id DB7A9160A8E; Fri,  5 Aug 2016 11:25:01 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 2D2E7160A6D
	for <archive-asf-public@cust-asf.ponee.io>; Fri,  5 Aug 2016 13:25:01 +0200 (CEST)
Received: (qmail 84149 invoked by uid 500); 5 Aug 2016 11:24:58 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 84138 invoked by uid 99); 5 Aug 2016 11:24:58 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 05 Aug 2016 11:24:58 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id C82F018648C
	for <users@tomcat.apache.org>; Fri,  5 Aug 2016 11:24:57 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Level: 
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=6.31
	tests=[SPF_PASS=-0.001] autolearn=disabled
Received: from mx2-lw-us.apache.org ([10.40.0.8])
	by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024)
	with ESMTP id kwWNpno_I5mP for <users@tomcat.apache.org>;
	Fri,  5 Aug 2016 11:24:53 +0000 (UTC)
Received: from thor.wissensbank.com (thor.wissensbank.com [81.169.250.120])
	by mx2-lw-us.apache.org (ASF Mail Server at mx2-lw-us.apache.org) with ESMTP id 362695FB59
	for <users@tomcat.apache.org>; Fri,  5 Aug 2016 11:24:52 +0000 (UTC)
Received: from thor.wissensbank.com (localhost [127.0.0.1])
	by thor.wissensbank.com (Postfix) with ESMTP id 455F715A60308
	for <users@tomcat.apache.org>; Fri,  5 Aug 2016 13:24:46 +0200 (CEST)
Received: by thor.wissensbank.com (Postfix, from userid 500)
	id E762E15A60EA5; Fri,  5 Aug 2016 13:24:45 +0200 (CEST)
Received: from [192.168.245.214] (pd956abfc.dip0.t-ipconnect.de [217.86.171.252])
	(Authenticated sender: andre.warnier@ice-sa.com)
	by thor.wissensbank.com (Postfix) with ESMTPA id 3D79615A60308
	for <users@tomcat.apache.org>; Fri,  5 Aug 2016 13:24:42 +0200 (CEST)
Subject: Re: tomat8.5 write logs with incorret os permission
To: users@tomcat.apache.org
References: <tencent_5FEF73702778712E062A5CF4@qq.com>
 <SN1PR0701MB18224BE272646BDF1D59A4CF97180@SN1PR0701MB1822.namprd07.prod.outlook.com>
 <tencent_4A13BC0B01FD805576D71F4E@qq.com>
From: =?UTF-8?Q?Andr=c3=a9_Warnier_=28tomcat=29?= <aw@ice-sa.com>
Message-ID: <57A4776D.50806@ice-sa.com>
Date: Fri, 5 Aug 2016 13:24:29 +0200
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:38.0) Gecko/20100101
 Thunderbird/38.5.0
MIME-Version: 1.0
In-Reply-To: <tencent_4A13BC0B01FD805576D71F4E@qq.com>
Content-Type: text/plain; charset=gb18030; format=flowed
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: ClamAV using ClamSMTP
archived-at: Fri, 05 Aug 2016 11:25:02 -0000

Hi.

On 05.08.2016 08:00, ² wrote:
>> Definitely a bad idea to relax the default permissions back to where they were.  If you want to expose your own system to abuse, you can set umask as documented in the changelog.
> Is there a way to like config some param to force tomcat write logs in old way ?and could you please give me a doc url about how set umask for tomcat run user 
>

You might want to start here :

http://lmgtfy.com/?q=linux+umask+command

Then, you may need to find out which command or shell script, *on your Linux system*, is 
starting Tomcat, and insert the desired umask command there.

But please consider the remarks made previously by Chuck.
Logfiles may contain information which you do not want to disclose to other than a system 
administrator.  By making these files widely readable, you weaken the security of your 
whole server and perhaps much more.

Be aware also, that by setting the umask for the Tomcat process, you are influencing the 
permissions of *any* file which Tomcat itself, or any Tomcat webapp would create.

>
>
>
> ------------------ Original ------------------
> From: "Caldarale, Charles R"<Chuck.Caldarale@unisys.com>;
> Date: 201685() 12:25
> To: "Tomcat Users List"<users@tomcat.apache.org>;
> Subject: RE: tomat8.5 write logs with incorret os permission
>
>
>
>> From: ² [mailto:jiucai@qq.com]
>> Subject: tomat8.5 write logs with incorret os permission
>
>> When using tomcat8.0, it starts and write logs as follows:
>> (apache-tomcat-8.0.x) -rw-rw-r-- 1 app app 873710 Aug  4 20:08 catalina.log
>> When using tomcat8.5.x (include tomcat 9.0.x), it starts and write logs as follows:
>> (apache-tomcat-8.5.4) -rw-r----- 1 app app 100824 Aug  4 20:10 catalina.log
>
> A highly appropriate change, much needed to prevent untrusted users from accessing private information in the log.
>
>> So, tomcat8.5 caused other os users can not read its logs and webapps logs that deployed
>> at tomcat8.5. the logs files should has permission 664, not 640.
>
> Definitely not a good idea.
>
>> I thinks it is not good for java webapp devlopers ,  when my web app write logs as
>> data log, the logs files can not rsync by other users and hosts.
>
> As it should be.
>
>> but it works at tomcat7.0.x and tomcat8.0.x
>
> "Works" is your definition; any site interested at all in secure operations would consider the old permissions to be dangerous and broken.
>
>> So I asked users to require further support for tomcat8.x write log files feature.
>
> Definitely a bad idea to relax the default permissions back to where they were.  If you want to expose your own system to abuse, you can set umask as documented in the changelog.
>
>   - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org