You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Jürgen Weber <ju...@jwi.de> on 2020/06/26 07:21:33 UTC
jsvc - non root - log as root
Hi,
when you run tomcat with jsvc and have jsvc drop privileges to a
different user, stdout and stderr log files are still created with
root as owner.
Can you make jsvc create them as the -user ?
weberjn@beo:~/apache-tomcat-9.0.36/logs$ ll
total 20
-rw------- 1 weberjn weberjn 4630 Jun 26 08:28 catalina.2020-06-26.log
-rw------- 1 root root 4630 Jun 26 08:28 catalina.err
-rw------- 1 root root 28 Jun 26 08:28 catalina.out
-rw------- 1 weberjn weberjn 0 Jun 26 08:28 host-manager.2020-06-26.log
-rw------- 1 weberjn weberjn 0 Jun 26 08:28 localhost.2020-06-26.log
-rw------- 1 weberjn weberjn 0 Jun 26 08:28
localhost_access_log.2020-06-26.txt
-rw------- 1 weberjn weberjn 0 Jun 26 08:28 manager.2020-06-26.log
jsvc \
-classpath $CATALINA_HOME/bin/bootstrap.jar:$CATALINA_HOME/bin/tomcat-juli.jar
\
-outfile $CATALINA_BASE/logs/catalina.out \
-errfile $CATALINA_BASE/logs/catalina.err \
-java-home /usr/lib/jvm/java-11-openjdk-amd64 \
-user weberjn \
-Dcatalina.home=$CATALINA_HOME \
-Dcatalina.base=$CATALINA_BASE \
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager \
-Djava.util.logging.config.file=$CATALINA_BASE/conf/logging.properties \
org.apache.catalina.startup.Bootstrap
jsvc (Apache Commons Daemon) 1.2.3-dev
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: jsvc - non root - log as root
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mark and Jürgen,
On 6/26/20 06:23, Mark Thomas wrote:
> On 26/06/2020 08:21, Jürgen Weber wrote:
>> Hi,
>>
>> when you run tomcat with jsvc and have jsvc drop privileges to a
>> different user, stdout and stderr log files are still created
>> with root as owner. Can you make jsvc create them as the -user ?
>
> I'm no C expert but my reading of
> https://github.com/apache/commons-daemon/blob/master/src/native/unix/n
ative/jsvc-unix.c#L1039
>
>
is no.
To be fair, jsvc *could* (be made to) do this, but that is not what
the current code looks like. Since the euig of the process when the
files are created is root (or elevated in some way), the ownership and
permissions of the file should be able to be set at that time before
privileges are dropped.
If these lines were to be added after 1071 (for stdout):
if(chown(outfile, uid, gid)) {
perror("chown");
exit(1);
}
Than the file could be owned by the unprivileged user/group. The uid
and gid are not currently available in the set_output function.
Hmm. If doreopen is true, then when trying to reopen the log files
(after dropping privileges), I think we'll get ENOACCESS. I don't use
jsvc so I haven't played around with it at all. I might be completely
wrong :)
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl72U0oACgkQHPApP6U8
pFhyPg//TXOriocgBl0cQW9a7TV7lW9K4FF3D/IIhvxcaed4H/Ugb8UYtJ7uKfLh
6xqko+pSkirUlfTBErSJ/Rnc9Mk2m43gL0onPOKOP1tKFq5VZG+Bu5IcHRKbVBcA
+pE2R7owUM3m8dnqeyvnqbAE2GH8AkxVj+A2ye1V+3R7b9iQd9C814rvucFN2p+s
UaQdlSXMPs5xqTbNQO1tHp0Tz91zyarc/MfViqBuAHfYuYCBOZevSwvlaLJ5I30Q
ef7htZM8eEUknGTbndQj/Rt/63xYcclKWT7cqBtRcMVqTiZfF90Q7ApBET7SuqjQ
nupUW9TdtocE7dLOIX48MH1VcC3xtVOYQXrCfDezV2Sk/INxr6Mubb4W8jdejGNI
Anc48N3FbJ58zzdYHonM976dfG2vFlolmITntb3k1YG6YrtL/pL9XEyXuFZuPaAm
Os4sB+7nhTw0ckVL3ZASvLSFg4JQmMObOmXdxxLk3VlUS1ZJgmPxb6HEh8SEXxgd
UeRw6C0ptkQfFBTqHLCT3ZFJnJGeBYlhLd6/K40o6OjDCJsce2W72xpNsiseO27L
fE/KI80/Jy+rtZNcFqJjWeVxmGdSvJuCWDEqwzvHeirexK/GDyaNaG7tNeCL93Nj
S6uG3ML1XKJjb0aNPWtR45DXkr1HU52qlPW4XqczdSNHWvRRy44=
=iOl+
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: jsvc - non root - log as root
Posted by Mark Thomas <ma...@apache.org>.
On 26/06/2020 08:21, Jürgen Weber wrote:
> Hi,
>
> when you run tomcat with jsvc and have jsvc drop privileges to a
> different user, stdout and stderr log files are still created with
> root as owner.
> Can you make jsvc create them as the -user ?
I'm no C expert but my reading of
https://github.com/apache/commons-daemon/blob/master/src/native/unix/native/jsvc-unix.c#L1039
is no.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: jsvc - non root - log as root
Posted by Jürgen Weber <ju...@jwi.de>.
jsvc has a umask option, so the log files can be made readable for the user.
It is just a question of estetics, root-owned files in user
directories are smelly.
Juergen
Am Sa., 27. Juni 2020 um 11:38 Uhr schrieb Michael Osipov <mi...@apache.org>:
>
> Am 2020-06-26 um 09:21 schrieb Jürgen Weber:
> > Hi,
> >
> > when you run tomcat with jsvc and have jsvc drop privileges to a
> > different user, stdout and stderr log files are still created with
> > root as owner.
> > Can you make jsvc create them as the -user ?
>
> What is you actual problem with that?
>
> I have talked about this to Mark two years ago. I think this is
> logically not that easy. jsvc needs to start as root to bind priviledged
> ports, it inits Tomcat, then downgrades and starts the rest of the
> container. While it is in init state stdout/stderr need to be opened
> already.
>
> If you are have problem with log rotation. I use newsyslogd for that
> which does send SIGUSR1 and works flawlessly. You may use similar tools.
>
> M
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: jsvc - non root - log as root
Posted by Michael Osipov <mi...@apache.org>.
Am 2020-06-26 um 09:21 schrieb Jürgen Weber:
> Hi,
>
> when you run tomcat with jsvc and have jsvc drop privileges to a
> different user, stdout and stderr log files are still created with
> root as owner.
> Can you make jsvc create them as the -user ?
What is you actual problem with that?
I have talked about this to Mark two years ago. I think this is
logically not that easy. jsvc needs to start as root to bind priviledged
ports, it inits Tomcat, then downgrades and starts the rest of the
container. While it is in init state stdout/stderr need to be opened
already.
If you are have problem with log rotation. I use newsyslogd for that
which does send SIGUSR1 and works flawlessly. You may use similar tools.
M
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org