Apps deployed with tomcat manager: No +w to group.Why?

[Jimmy Spam <sp...@pobladores.com>]

Please, excuse my poor english.

When I deploy an java app (.war file) with tomcat manager, it create  
the folder of this app inside of webapps with user: tomcat, group:  
tomcat  and permissions 750. I need, at least, have write privilege  
for group (770), since some user of my system (wich are inside of  
tomcat group), need can modify files of the apps.

Can I change this behavior?

Thank you very much




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Apps deployed with tomcat manager: No +w to group.Why?

[Peter Crowther <pe...@melandra.com>]

On 10 March 2010 10:51, André Warnier <aw...@ice-sa.com> wrote:

> Jimmy Spam wrote:
>
>>
>> Please, excuse my poor english.
>>
> It sounds fine.
>
>>
>> When I deploy an java app (.war file) with tomcat manager, it create the
>> folder of this app inside of webapps with user: tomcat, group: tomcat  and
>> permissions 750. I need, at least, have write privilege for group (770),
>> since some user of my system (wich are inside of tomcat group), need can
>> modify files of the apps.
>>
>> Can I change this behavior?
>>
>>  Hi.
>
> Maybe not directly in Tomcat (although since it is open-source, you could
> modify the Manager application yourself).
>
> Check the umask at the instant Tomcat starts.  If you're starting it as a
service, it may well be starting with umask 027.  You should be able to
override that in the startup script and start Tomcat with umask 007 -
although this would cause *any* file Tomcat writes to be group-writable.

I can't think of a way of doing this on a per-webapp basis.

- Peter

Re: Apps deployed with tomcat manager: No +w to group.Why?

[André Warnier <aw...@ice-sa.com>]

Jimmy Spam wrote:
> 
> Please, excuse my poor english.
It sounds fine.
> 
> When I deploy an java app (.war file) with tomcat manager, it create the 
> folder of this app inside of webapps with user: tomcat, group: tomcat  
> and permissions 750. I need, at least, have write privilege for group 
> (770), since some user of my system (wich are inside of tomcat group), 
> need can modify files of the apps.
> 
> Can I change this behavior?
> 
Hi.

Maybe not directly in Tomcat (although since it is open-source, you 
could modify the Manager application yourself).

But if you are under Linux, and the filesystem where Tomcat resides 
allows it (supports ACL), there is another way (ACL) : look up the commands
setfacl, getfacl etc..
The point is : you can set permissions for the webapps 
directory/subdirectory, which will override what the Manager says.
Be prepared : these commands are a bit hard to understand; but they work.

Make sure that you understand the security implications of what you are 
doing, and make sure the Manager itself is well-protected.  It has been 
used in the past for attacks, to upload applications which in turn act 
as Trojans e.g.

Also, in the above, the logic itself of your requirement does raise some 
doubts : apparently thus, you deploy an application from a .war file 
through the Manager. This generates (explodes) a series of directories 
and files under tomcat/webapps.
And then, you allow some people to go and modify these files directly.
You probably know what you are doing, but as a general mechanism that 
does not sound like a very safe/consistent thing to do. For example, it 
means that if someone modifies a file, and then the application is 
redeployed using the Manager, the changes are lost.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org