Setting log file permissions upon creation?

[Chris Wise <ja...@gmail.com>]

Hi,



I’m wondering if there is a way to force Tomcat to set permissions on log
files when they’re created?  It seems as though this would be something
defined in the logging.properties file, but it doesn’t seem like it’s an
option.



I want the permissions of all log files created (on server startup/log
rollover) to be 640.  The only way I can think of doing this is either
adding the command to the startup script, or by running a cron job every
hour or so.  However, if there is a way to make sure the log files are
never more permissive than 640, that would be greatly preferable.



Thank you,


Chris

Re: Setting log file permissions upon creation?

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Mark,

On 12/17/13, 11:29 AM, Mark Eggers wrote:
> There are not a lot of files that Tomcat creates.
> 
> 1. log files, as we have been discussing 2. PID file - if enabled,
> and that depends on where you write it 3. serialized sessions 4.
> JSP files - generate a .java file and the corresponding class 5.
> looks like some Maven stuff may get unpacked in the work directory

Tomcat does not use Maven for anything, so I think #5 may be
environment-specific.

6. For servlet-3.0-style uploads, Tomcat will write uploaded files
temporarily to the disk (in the work/ directory?) once they exceed the
configured maximum threshold.

OP might want to read the man page for "sticky" which documents the
"sticky bit" for directories.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSsdvyAAoJEBzwKT+lPKRYaHIQALs/8WfZJ1R7I21E0Ixdqj4c
70XVQ/9zsLZNODzX03W0cSHidb+DhJN3eQU+oRdyorDbPaqXQLYcs+XLjjA10SZp
DZzt/Z9TVPh8ZnzfdHl9zpo/STR6s1pF64ZwXxG3MvLGA5PELkAAkXqCHE7y8cFk
JD5022UZpkEIopqsen8hchXblqyPXpaV9JCc39SUhJGbhnJAi3kgJTzW1VjegD7+
kEAnhdKDCtkYrG9RW+xsvIDIpCeZFWkM6bvUuKHov5MNiIWh/M+wMj+BX9vWp4w7
Q+zVi37e7wgg5ndnWo4sg9QuCSnlMEmJjICflq2+JQ+Y7VkpCQV5J5jcIMlRULq0
zQqIGn0L3Q25TawPExVOu1kTn4PCOlK6P6nZq0h1bikyqXYXtyxxln638wk8MHkC
ZkirM/cQCLqTiyFE3ydU9Kg8mHxAIsJuazbHVMJGSFVFZURlbFeH35nG0suwZjJI
WYon/H4sDtTC0EMsfYH4NSoN9u/UgJbZYBJap66JDXGZogQBEMH9ubUqcUGIHLHG
8DUPi+q9aPaaNivDaoeD8zOLRbrTi6sfrAiZNHGtkRf3eaMEXJ35XBIWPhNXh6gl
I8wUJFXTBDj69YZd1ZsINzucVU82G6/1756jGkA2fk8SrPTItiu6NdsMbypIK9cN
tQU8bEpdRzNmEzNtJuY3
=jg3c
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Setting log file permissions upon creation?

[Mark Eggers <it...@yahoo.com>]

On 12/17/2013 4:39 AM, Chris Wise wrote:
> On Mon, Dec 16, 2013 at 10:25 PM, Mark Eggers <it...@yahoo.com> wrote:
>
>> Inline response:
>>
>> This is true, but shouldn't be a problem.
>>
>> If you're running on a system that has ACL, then you could try the
>> following:
>>
>> cd $CATALINA_BASE
>> setfacl -n -d -m u::rwx,g::rx,o::- logs
>>
>> Read the setfacl / getfacl manual pages for more info.
>>
>> To restore (remove the access control lists), run the following:
>>
>> cd $CATALINA_BASE
>> setfacl -b logs
>>
>>
>> . . . just my two cents
>> /mde/
>>
>>
> Hey Mark,
>
> So the ACL option is a no-go.  I'm willing to try your earlier suggestion
> of the setenv.sh script, however I'm not sure what files Tomcat creates
> other than log files and PID files that creating this script would affect.
> Do you have any insight into that?
>
> Appreciate all the help!
>
> Chris
>
Chris,

There are not a lot of files that Tomcat creates.

1. log files, as we have been discussing
2. PID file - if enabled, and that depends on where you write it
3. serialized sessions
4. JSP files - generate a .java file and the corresponding class
5. looks like some Maven stuff may get unpacked in the work directory

I believe the serialized sessions go in java.io.tmpdir, which is 
normally set to $CATALINA_BASE/temp. The JSP files (.jsp, .java, .class) 
end up in $CATALINA_BASE/work/[Engine]/[Host], where [Engine] and [Host] 
are from the Engine and Host elements in your server.xml.

This leaves out the biggest offender of them all - applications. An 
application could write files out to specified directories (think file 
uploading) which then get processed by other external applications. If 
you do this, then potentially any external application will no longer be 
able to manipulate those files.

Only you know your applications, so testing is obviously in order here.

You haven't said much about your environment, so I don't know what other 
impact this will cause.

Did you install Tomcat from tomcat.apache.org, or from a distribution? 
If you installed Tomcat from a distribution repackaging, components get 
scattered everywhere, and the umask trick may cause some problems.

Are you running on an ext3 or ext4 file system? For an ext3-based 
system, you can remount a file system to enable ACL. ACL is enabled by 
default on ext4. Of course if you're running on a cloud platform, you 
may have less control over this.

. . . just my two cents.
/mde/

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Setting log file permissions upon creation?

[Chris Wise <ja...@gmail.com>]

On Mon, Dec 16, 2013 at 10:25 PM, Mark Eggers <it...@yahoo.com> wrote:

> Inline response:
>
> This is true, but shouldn't be a problem.
>
> If you're running on a system that has ACL, then you could try the
> following:
>
> cd $CATALINA_BASE
> setfacl -n -d -m u::rwx,g::rx,o::- logs
>
> Read the setfacl / getfacl manual pages for more info.
>
> To restore (remove the access control lists), run the following:
>
> cd $CATALINA_BASE
> setfacl -b logs
>
>
> . . . just my two cents
> /mde/
>
>
Hey Mark,

So the ACL option is a no-go.  I'm willing to try your earlier suggestion
of the setenv.sh script, however I'm not sure what files Tomcat creates
other than log files and PID files that creating this script would affect.
Do you have any insight into that?

Appreciate all the help!

Chris

Re: Setting log file permissions upon creation?

[Mark Eggers <it...@yahoo.com>]

Inline response:

On 12/16/2013 6:06 PM, Chris Wise wrote:
> Hey Mark,
>
> Thanks for the response :)
>
> Just a quick question - won't this make ALL files Tomcat creates the same
> permissive...ness?  Instead of just the log files?

This is true, but shouldn't be a problem.

If you're running on a system that has ACL, then you could try the 
following:

cd $CATALINA_BASE
setfacl -n -d -m u::rwx,g::rx,o::- logs

Read the setfacl / getfacl manual pages for more info.

To restore (remove the access control lists), run the following:

cd $CATALINA_BASE
setfacl -b logs

. . . just my two cents
/mde/

>
> Thanks again!
>
>
> On Mon, Dec 16, 2013 at 7:25 PM, Mark Eggers <it...@yahoo.com> wrote:
>
>> On 12/16/2013 4:04 PM, Chris Wise wrote:
>>
>>> Hi,
>>>
>>>
>>>
>>> I’m wondering if there is a way to force Tomcat to set permissions on log
>>> files when they’re created?  It seems as though this would be something
>>> defined in the logging.properties file, but it doesn’t seem like it’s an
>>> option.
>>>
>>>
>>>
>>> I want the permissions of all log files created (on server startup/log
>>> rollover) to be 640.  The only way I can think of doing this is either
>>> adding the command to the startup script, or by running a cron job every
>>> hour or so.  However, if there is a way to make sure the log files are
>>> never more permissive than 640, that would be greatly preferable.
>>>
>>>
>>>
>>> Thank you,
>>>
>>>
>>> Chris
>>>
>>>
>> 1. Create a setenv.sh file in $CATALINA_BASE/bin.
>> 2. Add the following:
>>
>> #!/bin/bash
>> umask 0026
>>
>> Seems to work for me - quickly tested on Fedora 19, Tomcat 7.0.42, JRE
>> 1.7.0_45.
>>
>> . . . just my two cents
>> /mde/


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Setting log file permissions upon creation?

[Chris Wise <ja...@gmail.com>]

Hey Mark,

Thanks for the response :)

Just a quick question - won't this make ALL files Tomcat creates the same
permissive...ness?  Instead of just the log files?

Thanks again!


On Mon, Dec 16, 2013 at 7:25 PM, Mark Eggers <it...@yahoo.com> wrote:

> On 12/16/2013 4:04 PM, Chris Wise wrote:
>
>> Hi,
>>
>>
>>
>> I’m wondering if there is a way to force Tomcat to set permissions on log
>> files when they’re created?  It seems as though this would be something
>> defined in the logging.properties file, but it doesn’t seem like it’s an
>> option.
>>
>>
>>
>> I want the permissions of all log files created (on server startup/log
>> rollover) to be 640.  The only way I can think of doing this is either
>> adding the command to the startup script, or by running a cron job every
>> hour or so.  However, if there is a way to make sure the log files are
>> never more permissive than 640, that would be greatly preferable.
>>
>>
>>
>> Thank you,
>>
>>
>> Chris
>>
>>
> 1. Create a setenv.sh file in $CATALINA_BASE/bin.
> 2. Add the following:
>
> #!/bin/bash
> umask 0026
>
> Seems to work for me - quickly tested on Fedora 19, Tomcat 7.0.42, JRE
> 1.7.0_45.
>
> . . . just my two cents
> /mde/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Re: Setting log file permissions upon creation?

[Mark Eggers <it...@yahoo.com>]

On 12/16/2013 4:04 PM, Chris Wise wrote:
> Hi,
>
>
>
> I’m wondering if there is a way to force Tomcat to set permissions on log
> files when they’re created?  It seems as though this would be something
> defined in the logging.properties file, but it doesn’t seem like it’s an
> option.
>
>
>
> I want the permissions of all log files created (on server startup/log
> rollover) to be 640.  The only way I can think of doing this is either
> adding the command to the startup script, or by running a cron job every
> hour or so.  However, if there is a way to make sure the log files are
> never more permissive than 640, that would be greatly preferable.
>
>
>
> Thank you,
>
>
> Chris
>

1. Create a setenv.sh file in $CATALINA_BASE/bin.
2. Add the following:

#!/bin/bash
umask 0026

Seems to work for me - quickly tested on Fedora 19, Tomcat 7.0.42, JRE 
1.7.0_45.

. . . just my two cents
/mde/

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org