You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Jimmy Spam <sp...@pobladores.com> on 2010/03/10 10:18:23 UTC
Apps deployed with tomcat manager: No +w to group.Why?
Please, excuse my poor english.
When I deploy an java app (.war file) with tomcat manager, it create
the folder of this app inside of webapps with user: tomcat, group:
tomcat and permissions 750. I need, at least, have write privilege
for group (770), since some user of my system (wich are inside of
tomcat group), need can modify files of the apps.
Can I change this behavior?
Thank you very much
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Apps deployed with tomcat manager: No +w to group.Why?
Posted by Peter Crowther <pe...@melandra.com>.
On 10 March 2010 10:51, André Warnier <aw...@ice-sa.com> wrote:
> Jimmy Spam wrote:
>
>>
>> Please, excuse my poor english.
>>
> It sounds fine.
>
>>
>> When I deploy an java app (.war file) with tomcat manager, it create the
>> folder of this app inside of webapps with user: tomcat, group: tomcat and
>> permissions 750. I need, at least, have write privilege for group (770),
>> since some user of my system (wich are inside of tomcat group), need can
>> modify files of the apps.
>>
>> Can I change this behavior?
>>
>> Hi.
>
> Maybe not directly in Tomcat (although since it is open-source, you could
> modify the Manager application yourself).
>
> Check the umask at the instant Tomcat starts. If you're starting it as a
service, it may well be starting with umask 027. You should be able to
override that in the startup script and start Tomcat with umask 007 -
although this would cause *any* file Tomcat writes to be group-writable.
I can't think of a way of doing this on a per-webapp basis.
- Peter
Re: Apps deployed with tomcat manager: No +w to group.Why?
Posted by André Warnier <aw...@ice-sa.com>.
Jimmy Spam wrote:
>
> Please, excuse my poor english.
It sounds fine.
>
> When I deploy an java app (.war file) with tomcat manager, it create the
> folder of this app inside of webapps with user: tomcat, group: tomcat
> and permissions 750. I need, at least, have write privilege for group
> (770), since some user of my system (wich are inside of tomcat group),
> need can modify files of the apps.
>
> Can I change this behavior?
>
Hi.
Maybe not directly in Tomcat (although since it is open-source, you
could modify the Manager application yourself).
But if you are under Linux, and the filesystem where Tomcat resides
allows it (supports ACL), there is another way (ACL) : look up the commands
setfacl, getfacl etc..
The point is : you can set permissions for the webapps
directory/subdirectory, which will override what the Manager says.
Be prepared : these commands are a bit hard to understand; but they work.
Make sure that you understand the security implications of what you are
doing, and make sure the Manager itself is well-protected. It has been
used in the past for attacks, to upload applications which in turn act
as Trojans e.g.
Also, in the above, the logic itself of your requirement does raise some
doubts : apparently thus, you deploy an application from a .war file
through the Manager. This generates (explodes) a series of directories
and files under tomcat/webapps.
And then, you allow some people to go and modify these files directly.
You probably know what you are doing, but as a general mechanism that
does not sound like a very safe/consistent thing to do. For example, it
means that if someone modifies a file, and then the application is
redeployed using the Manager, the changes are lost.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org