You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Gregor Schneider <rc...@googlemail.com> on 2010/11/30 19:31:22 UTC
New jsvc (commons-daemon-native); catalina.out is owned by root - WTF?
Hi guys,
we had some issues due to a memory-leak here and used this opportunity
to upgrade our Tomcat from 5.5.20 to 5.5.31.
Here's our current environment:
tomcat@www2:~/local/tomcat55/bin$ ./version.sh
Using CATALINA_BASE: /home/tomcat/local/tomcat55
Using CATALINA_HOME: /home/tomcat/local/tomcat55
Using CATALINA_TMPDIR: /home/tomcat/local/tomcat55/temp
Using JRE_HOME: /home/tomcat/local/jdk15/
Using CLASSPATH: /home/tomcat/local/tomcat55/bin/bootstrap.jar
Server version: Apache Tomcat/5.5.31
Server built: Sep 4 2010 12:53:08
Server number: 5.5.31.0
OS Name: Linux
OS Version: 2.6.18-3-amd64
Architecture: amd64
JVM Version: 1.5.0_10-b03
JVM Vendor: Sun Microsystems Inc.
The interesting options inside our startup-script are
[ ...]
TOMCAT_USER=tomcat
[...]
echo "Starting tomcat"
$DAEMON_HOME/bin/jsvc \
-user $TOMCAT_USER \
-home $JAVA_HOME \
-Dcatalina.home=$CATALINA_HOME \
-Dcatalina.base=$CATALINA_BASE \
-Djava.io.tmpdir=$TMP_DIR \
-Dlog4j.configuration=log4j.xml \
-wait 10 \
-pidfile $PID_FILE \
-outfile $CATALINA_HOME/logs/catalina.out \
-errfile '&1' \
$JAVA_OPTS \
$CATALINA_OPTS \
-cp $CLASSPATH \
org.apache.catalina.startup.Bootstrap
exit $?
;;
What's really puzzling me, is, that since we upgraded Tomcat,
catalina.out is not owned by the user specified in $TOMCAT_USER any
more but is owned by root.
All other files are owned by $TOMCAT_USER as expected.
What did we change?
Well, in the old version, there was the archive "tomcat-native.tar.gz"
containing the sources for the native wrapper.
Now, with Tomcat 5.5.31, there's a new archive
"commons-daemon-native.tar.gz", which also contains the native wrapper
sources - however, the old one is also coming with the
5.5.31-distribution.
I couldn't find anything in the docs saying "we've changed the
native-wrapper-implementation - use the new one" or similar. So I
guessed that the old one might be depricated, so I used the sources
from "commons-daemon-native.tar.gz".
Works like charm, the only catch is, as described above, that
catalina.out now is owned by root. Before, said file was owned by
$TOMCAT_USER
This is really a PITA, since we don't want to grant root-access to the
Tomcat-developers.
Could somebody in this list please explain, either what I'm missing
here, and also, what's the difference between the two
native-wrapper-versions?
When checking for the jsvc-parameters with "./jsvc -help", I
recognized that the parameter "-user" didn't change.
I'm aware that I could patch the startup-script by inserting something
like "chown ${TOCMAT_USER} ${CATALINA_HOME}/logs/catalina.out",
however, to me this seems only like the 2nd best solution.
Any hints very much appreciated!
Cheers
Gregor
--
just because you're paranoid, don't mean they're not after you...
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available
@ http://pgpkeys.pca.dfn.de:11371
@ http://pgp.mit.edu:11371/
skype:rc46fi
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: New jsvc (commons-daemon-native); catalina.out is owned by root - WTF?
Posted by Justin Case <se...@yahoo.com>.
> From: Gregor Schneider <rc...@googlemail.com>
>
> I feel that ppl have a problem if they mistrust their developers in so
> far that they have to lock their box even to their own developers
> maintaing the apps. And I'm not talking about full access but I'm
> talking about browsing the logs.
>
> Besides, when having a production-problem, one can react quickly if
> the developer responsible for the app can read the logs.
>
> OTOH, some ppl might have no problems with outages and can wait for
> the logs being mailed / ftp'ed / whatsoever by the usally always busy
> server-admins...*sic*
I'm living in such an environment. One of the reasons for this separation is
fear of "quick fixes": production machines are not for testing patches - which
otherwise you can bet it would happen if anything beyond log reading would be
granted. But we have log reading allowed and everybody is happy - both paranoids
and genies.
JC
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: New jsvc (commons-daemon-native); catalina.out is owned by root - WTF?
Posted by Gregor Schneider <rc...@googlemail.com>.
Mladen,
On Thu, Dec 2, 2010 at 12:37 PM, Mladen Turk <mt...@apache.org> wrote:
> On 12/02/2010 12:05 PM, Gregor Schneider wrote:
>
> If your developers need to see the stdout of the Tomcat
> on the production server then you have a serious problem.
> The first one that I find (well funny) is that they can access
> the box at the first place.
>
I disagree: Why should that be a problem?
I feel that ppl have a problem if they mistrust their developers in so
far that they have to lock their box even to their own developers
maintaing the apps. And I'm not talking about full access but I'm
talking about browsing the logs.
Besides, when having a production-problem, one can react quickly if
the developer responsible for the app can read the logs.
OTOH, some ppl might have no problems with outages and can wait for
the logs being mailed / ftp'ed / whatsoever by the usally always busy
server-admins...*sic*
Cheers
Gregor
--
just because you're paranoid, don't mean they're not after you...
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available
@ http://pgpkeys.pca.dfn.de:11371
@ http://pgp.mit.edu:11371/
skype:rc46fi
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: New jsvc (commons-daemon-native); catalina.out is owned by root
- WTF?
Posted by Mladen Turk <mt...@apache.org>.
On 12/02/2010 12:05 PM, Gregor Schneider wrote:
>
> Besides, all logs are owned by tomcat:tomcat (as it should be) - the
> only exception is catalina.out.
>
> I guess you agree that this is not what somebody would call
> "consistent" behaviour...
>
The catalina.out is written by a parent process running
under root user.
If your developers need to see the stdout of the Tomcat
on the production server then you have a serious problem.
The first one that I find (well funny) is that they can access
the box at the first place.
Regards
--
^TM
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: New jsvc (commons-daemon-native); catalina.out is owned by root - WTF?
Posted by Gregor Schneider <rc...@googlemail.com>.
Chris,
On Wed, Dec 1, 2010 at 10:10 PM, Christopher Schultz
<ch...@christopherschultz.net> wrote:
>
> I agree with Mladen: MySQL doesn't actually need root privileges for
> anything at all, so this is a good description of your desires, but not
> a really great example.
>
Tomcat doesn't root-privileges either in our situation.
We#re not even running on a privileged port (yet).
However, where planning to kick out Apache soon and will be running
our sites on Tomcat only - that's why we're already using jsvc (call
it kond of a test).
Still, our security-guidelines demand that Tomcat can only be started
/ stopped by either a user with root privileges or by a user having
those privileges via the sudo-command.
On the other hand, the devekopers responsible for their application
have to be able to read the logs.
Besides, all logs are owned by tomcat:tomcat (as it should be) - the
only exception is catalina.out.
I guess you agree that this is not what somebody would call
"consistent" behaviour...
> What does "directory is already umasked" mean? AFAIK, you can't umask a
> directory. Do you mean you're using sticky bits?
Sorry, my fault: Our general umask is set to 0022 - still, jsvc give
root-owbership to catalina.out
> Is it possible that if catalina.out already exists and is owned by, say,
> "tomcat", that it's ownership will be retained when jsvc opens it for
> append? If that's the case, you may have simply deleted the file during
> your upgrade and had it re-created by jsvc (owned by root) after the fact.
You picked the right thing here: When catalina.out is owned by
tomcat:tomcat, jsvc opens that file for append and doesn't change the
ownership.
I wouldn't bet my bottom penny on the possibility that with the
chowned catalina.out manually to tomcat:tomcat, but I'm quite sure
that the ownership was not changed by us before.
Unfortunately, I don't have the time to do a check on that one right now.
>
> Can you tell us what version of jsvc you were using in the past, and
> what version you're using now?
>
Before, we've been using an acrhive called "jsvc.tar.gz", browsing the
CHANGES.txt gives
======= [ snip ]=========
JAKARTA COMMONS DAEMON (UNIX) CHANGELOG:
Last modified at [$Date: 2005-05-17 10:03:57 +0200 (Tue, 17 May 2005) $]
Changes with 1.0.1
======= [ snap ]=========
Now, we're using an archive called "commons-daemon-native.tar.gz".
Browsing the file "RELEASE_NOTES.txt" gives
======= [ snip ]=========
$Id: RELEASE-NOTES.txt 915160 2010-02-23 03:32:02Z billbarker $
Commons Daemon Package
Version 1.0.2
======= [ snap ]=========
Since my workaround seems to be doing what we're expecting, I suggest
we call this case closed.
Thanks for your support!
Cheers
Gregor
--
just because you're paranoid, don't mean they're not after you...
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available
@ http://pgpkeys.pca.dfn.de:11371
@ http://pgp.mit.edu:11371/
skype:rc46fi
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: New jsvc (commons-daemon-native); catalina.out is owned by root
- WTF?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Gregor,
On 12/1/2010 5:55 AM, Gregor Schneider wrote:
> And if you take a look into /var/logs, you can see exactly, that the
> logs inside this directory partly don't belong to root as long as they
> are not run within a root-context.
>
> A good example ist mysql:
>
> -rw-rw---- 1 mysql adm 344379 2009-09-30 12:13 mysql-full.log
I agree with Mladen: MySQL doesn't actually need root privileges for
anything at all, so this is a good description of your desires, but not
a really great example.
> For the rest, I'm completely with you, and the solutions you pointed
> out will work and already crossed my mind, except that the directory
> is alreday umasked to 0022, still, catalina.out gives
>
> -rw------- 1 root root 7395 2010-12-01 11:51 catalina.out
What does "directory is already umasked" mean? AFAIK, you can't umask a
directory. Do you mean you're using sticky bits?
> But what's really puzzling me - and for which I don't have any
> explanation - is, that with the old version of jsvc, catalina.out had
> ${TOMCAT_USER}-ownership (mind you: in the startup-script there's a
> "su ${TOMCAT-USER} before starting jsvc), and to me it seems that this
> has changed with the new version.
Is it possible that if catalina.out already exists and is owned by, say,
"tomcat", that it's ownership will be retained when jsvc opens it for
append? If that's the case, you may have simply deleted the file during
your upgrade and had it re-created by jsvc (owned by root) after the fact.
Can you tell us what version of jsvc you were using in the past, and
what version you're using now?
I can't seem to find a readable changelog on the commons-daemon site. :(
On the other hand, it looks like jsvc hasn't had any changes in years.
> Furthermore, I'd like to give you some insights of a "Real
> Life"-external-managed-services-root-server-installation within a big
> financial corperation:
>
> Here - and in quite some other companies I do know - it's common
> practice to host the servers externally, having managed services.
>
> Usually, this implies that you don't have root-access, simply for
> liability-reasons. However, only basic Tomcat-maintenance is done by
> the external hoster, and when deploying new webapps, our developers
> need to be able to read al logs.
>
> Therefore, such a behaviour as seen by the latest jsvc is making
> developer's life quite complicated.
>
> Anyhow, I guess I'll go for a chown inside the startup-script for now.
What happens if you do something like this in your startup script:
touch "$CATALINA_OUT"
jsvc -outfile "$CATALINA_OUT"
That ought to create "$CATALINA_OUT" using the current user's
permissions. I'll have to look at the code to see what jsvc tries to do
if the file exists. Or, I could just run it myself :)
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkz2uakACgkQ9CaO5/Lv0PB5lwCeK3ukeoTfh0prHMOfSGB1QqFo
rXQAn1hbFI2e9TY39DfTEWKugm2nVWXj
=SC9Y
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: New jsvc (commons-daemon-native); catalina.out is owned by root - WTF?
Posted by Wesley Acheson <we...@gmail.com>.
Can someone explain to me why logging as the tomcat user is a security risk?
I don't like that behaviour but then again I don't understand it.
Regards,
Wesley Acheson
On Wed, Dec 1, 2010 at 6:41 PM, Mladen Turk <mt...@apache.org> wrote:
> On 12/01/2010 11:55 AM, Gregor Schneider wrote:
>>>
>> Sure, since Apache is usually started within root-context ("sbin") -
>> so that does make sense.
>>
>
> Right but it drops the user to apache if instructed to do so.
> Even then logs are root owned, and this is security
> precaution (like with jsvc)
>
>>
>> And if you take a look into /var/logs, you can see exactly, that the
>> logs inside this directory partly don't belong to root as long as they
>> are not run within a root-context.
>>
>> A good example ist mysql:
>>
>
> This is not good example. mysql doesn't need to run
> on privileged port, and if your tomcat doesn't need to
> run on port 80, and you don't wish to secure your
> installation why using jsvc at the first place?
>
>
> Regards
> --
> ^TM
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: New jsvc (commons-daemon-native); catalina.out is owned by root
- WTF?
Posted by Mladen Turk <mt...@apache.org>.
On 12/01/2010 11:55 AM, Gregor Schneider wrote:
>>
> Sure, since Apache is usually started within root-context ("sbin") -
> so that does make sense.
>
Right but it drops the user to apache if instructed to do so.
Even then logs are root owned, and this is security
precaution (like with jsvc)
>
> And if you take a look into /var/logs, you can see exactly, that the
> logs inside this directory partly don't belong to root as long as they
> are not run within a root-context.
>
> A good example ist mysql:
>
This is not good example. mysql doesn't need to run
on privileged port, and if your tomcat doesn't need to
run on port 80, and you don't wish to secure your
installation why using jsvc at the first place?
Regards
--
^TM
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: New jsvc (commons-daemon-native); catalina.out is owned by root
- WTF?
Posted by André Warnier <aw...@ice-sa.com>.
Gregor Schneider wrote:
> Hi André,
>
> long time no see ;)
>
> On Wed, Dec 1, 2010 at 12:20 PM, André Warnier <aw...@ice-sa.com> wrote:
>> As far as I know, these startup scripts are created by the packagers of
>> Debian, RedHat etc.. when they wrap Tomcat in a platform-specific package.
>> /They/ are the ones who decide how they call up jsvc, where the logfiles go,
>> under what permissions etc..
>>
>
> That's actually not the case:
>
> The startaup-script for Tomcat native comes with the jscv-sources,
> meaning it's *not* some pre-packaged Debian-thing.
>
Ok, I did not know that, because (should I admit this here?) I /do/ use the pre-packaged
things.
And these pre-packaged things (sometimes) use another trick :
rm -rf "$CATALINA_BASE/logs/catalina.out"
mkfifo -m700 "$CATALINA_BASE/logs/catalina.out"
su -p -s /bin/sh $TOMCAT5_USER \
-c "$ROTATELOGS \"$CATALINA_BASE/logs/catalina_%F.log\" 86400" \
< "$CATALINA_BASE/logs/catalina.out" &
su -p -s /bin/sh $TOMCAT5_USER \
-c "\"$DAEMON\" start $STARTUP_OPTS" \
>> "$CATALINA_BASE/logs/catalina.out" 2>&1
So they start by making catalina.out a fifo (a named pipe ?), then arrange for rotatelogs
(from Apache httpd) to read from it and rotate it, then they have Tomcat write to it.
If you arrange for the last su to run jsvc instead of Tomcat directly, then it achieves
the same purpose as your trick. A bit more complex, but it does have rotation by
rotatelogs extra, with lots of options.
(Other versions direct this to SYSLOG).
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: New jsvc (commons-daemon-native); catalina.out is owned by root - WTF?
Posted by Gregor Schneider <rc...@googlemail.com>.
Hi André,
long time no see ;)
On Wed, Dec 1, 2010 at 12:20 PM, André Warnier <aw...@ice-sa.com> wrote:
>
> As far as I know, these startup scripts are created by the packagers of
> Debian, RedHat etc.. when they wrap Tomcat in a platform-specific package.
> /They/ are the ones who decide how they call up jsvc, where the logfiles go,
> under what permissions etc..
>
That's actually not the case:
The startaup-script for Tomcat native comes with the jscv-sources,
meaning it's *not* some pre-packaged Debian-thing.
However, I guess I know what's going on:
The script is started from user Tomcat via "sudo". One parameter for
jsvc is the parameter "user".
When invoking jsvc with "--help", is says:
----- [ cut] --------
-user <user>
user used to run the daemon (defaults to current user)
----- [ cut] --------
Seems somehow to work, since a
ps -aux | more | grep tomcat
gives
tomcat 29386 0.9 3.4 1651348 139244 ? Sl 16:31 0:25
jsvc.exec -user tomcat -home /home/tomcat/local/jdk15/
-Dcatalina.home=/home/tomcat/local/tomcat55/
-Dcatalina.base=/home/tomcat/local/tomcat55/ -Djava.io.tmpdir=/var/tmp
-Dlog4j.configuration=log4j.xml -wait 10 -pidfile /var/run/jsvc.pid
-outfile /home/tomcat/local/tomcat55//logs/catalina.out -errfile &1
-Xmx1024m -XX:PermSize=256m -XX:+DisableExplicitGC
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djava.util.logging.config.file=/home/tomcat/local/tomcat55//conf/logging.properties
-Xdebug -Xrunjdwp:transport=dt_socket,address=8787,server=y,suspend=n
-cp /home/tomcat/local/jdk15//lib/tools.jar:/home/tomcat/local/tomcat55//bin/commons-daemon.jar:/home/tomcat/local/tomcat55//bin/bootstrap.jar
org
So you can clearly see, that the process is started from user
"tomcat", although the startup-script is started in root-context (due
to the "sudo"-command).
jsvc is *not* forking a jvm, but wrapping it and starting it with it's
own user-context, although it's supposed to change the user-context
according to the help-text I've listed above.
And I would be so picky if it had the same behaviour with version
5.5.20, but in 5.5.20 catalina.out had tomcat-ownership.
So it seems, somebody changed something here, and I'm even too dumb to
find anything in the changelogs, which I wouldn't like at all, either
being a tomcat-user or a comitter...
For the time being, I put this little fix into the startup-script, but
still, I'm not too happy with this hack:
#
# workaround to prevent root-ownership for catalina.out
#
if [ ! -f $CATALINA_HOME/logs/catalina.out ]; then
touch $CATALINA_HOME/logs/catalina.out
chown $TOMCAT_USER $CATALINA_HOME/logs/catalina.out
else
OWNER=`ls -l $CATALINA_HOME/logs/catalina.out | grep $TOMCAT_USER`
if [ -z "$OWNER" ]; then
chown $TOMCAT_USER:$TOMCAT_USER $CATALINA_HOME/logs/catalina.out
fi
fi
#
# end workaround
#
Cheers!
Gregor
--
just because you're paranoid, don't mean they're not after you...
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available
@ http://pgpkeys.pca.dfn.de:11371
@ http://pgp.mit.edu:11371/
skype:rc46fi
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: New jsvc (commons-daemon-native); catalina.out is owned by root
- WTF?
Posted by André Warnier <aw...@ice-sa.com>.
Gregor, (by the way, hi!)
>
> But what's really puzzling me - and for which I don't have any
> explanation - is, that with the old version of jsvc, catalina.out had
> ${TOMCAT_USER}-ownership (mind you: in the startup-script there's a
> "su ${TOMCAT-USER} before starting jsvc), and to me it seems that this
> has changed with the new version.
>
As far as I know, these startup scripts are created by the packagers of Debian, RedHat
etc.. when they wrap Tomcat in a platform-specific package.
/They/ are the ones who decide how they call up jsvc, where the logfiles go, under what
permissions etc..
There is no trace of jsvc in my (catalina_home)/bin/*.sh files.
And in general, these packaged Tomcats do not use these .sh scripts anyway, everything
happens in /etc/init.d/tomcat...
So maybe you should discuss this issue with the packagers for Debian, RedHat etc..
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: New jsvc (commons-daemon-native); catalina.out is owned by root - WTF?
Posted by Gregor Schneider <rc...@googlemail.com>.
Christopher,
On Tue, Nov 30, 2010 at 10:33 PM, Christopher Schultz
<ch...@christopherschultz.net> wrote:
>
> Apache httpd acts this way:
>
Sure, since Apache is usually started within root-context ("sbin") -
so that does make sense.
When talking about servers, I'm not talking about a webserver but a
server such as Debian, RedHat etc.
And if you take a look into /var/logs, you can see exactly, that the
logs inside this directory partly don't belong to root as long as they
are not run within a root-context.
A good example ist mysql:
-rw-rw---- 1 mysql adm 344379 2009-09-30 12:13 mysql-full.log
And this is exactly the way it should be.
For the rest, I'm completely with you, and the solutions you pointed
out will work and already crossed my mind, except that the directory
is alreday umasked to 0022, still, catalina.out gives
-rw------- 1 root root 7395 2010-12-01 11:51 catalina.out
Any hints on that?
But what's really puzzling me - and for which I don't have any
explanation - is, that with the old version of jsvc, catalina.out had
${TOMCAT_USER}-ownership (mind you: in the startup-script there's a
"su ${TOMCAT-USER} before starting jsvc), and to me it seems that this
has changed with the new version.
Furthermore, I'd like to give you some insights of a "Real
Life"-external-managed-services-root-server-installation within a big
financial coperation:
Here - and in quite some other companies I do know - it's common
practice to host the servers externally, having managed services.
Usually, this implies that you don't have root-access, simply for
liability-reasons. However, only basic Tomcat-maintenance is done by
the external hoster, and when deploying new webapps, our developers
need to be able to read al logs.
Therefore, such a behaviour as seen by the latest jsvc is making
developer's life quite complicated.
Anyhow, I guess I'll go for a chown inside the startup-script for now.
Thanks
Gregor
--
just because you're paranoid, don't mean they're not after you...
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available
@ http://pgpkeys.pca.dfn.de:11371
@ http://pgp.mit.edu:11371/
skype:rc46fi
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: New jsvc (commons-daemon-native); catalina.out is owned by root
- WTF?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Gregor,
On 11/30/2010 4:18 PM, Gregor Schneider wrote:
> Mladen,
>
>> Believe it or not, this is intentional and correct behavior.
>> Almost any server behaves like that.
>
> thanks for sharing your views on this one, which I, however, do not share at
> all
>
> besides, no server behaves like you're stating:
Apache httpd acts this way:
$ ls -l /usr/sbin/apache2
- -rwxr-xr-x 1 root root 365308 Apr 19 2010 /usr/sbin/apache2
$ grep ErrorLog /etc/apache2/apache2.conf
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
ErrorLog /var/log/apache2/error.log
$ sudo ls -l /var/log/apache2/error.log
- -rw-r----- 1 root adm 16813 Nov 30 15:33 /var/log/apache2/error.log
Looks like root ownership to me.
> if an application is started in a non-root-context and producing any output
> such as log-files, those files usually are owned by the user in whose
> context the application is running.
Try running 'stat jsvc' and tell us who the "user context" should be?
> besides, superuser root can watch / edit those files anyway.
> and what sense should any generated output make, if the app-owner is not
> able to read those files, esp. when those files contain stuff such as
> logging-information?
> therefor, in my humble opinion, i'd consider such a behaviour as a bug
Patches are always welcome :)
How about something like a new option for jsvc "-outfilePriv
unprivileged|privileged" or something: that would indicate that the log
file should be opened either before or after root privileges are dropped.
Also, have you tried setting your umask before launching jsvc? You may
get a lot of mileage out of
umask 0022
jsvc ...
Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkz1bZ4ACgkQ9CaO5/Lv0PD4EQCgnwQzsIrgHe1E/QOxouZ0kyY4
R3UAoKoVj9KoMY/joXvIfHpUJ1D/1R8X
=ExC+
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: New jsvc (commons-daemon-native); catalina.out is owned by root - WTF?
Posted by Gregor Schneider <rc...@googlemail.com>.
Mladen,
Believe it or not, this is intentional and correct behavior.
Almost any server behaves like that.
thanks for sharing your views on this one, which I, however, do not share at
all
besides, no server behaves like you're stating:
if an application is started in a non-root-context and producing any output
such as log-files, those files usually are owned by the user in whose
context the application is running.
besides, superuser root can watch / edit those files anyway.
and what sense should any generated output make, if the app-owner is not
able fo read those files, esp. when those files contain stuff such as
logging-information?
therefor, in my humble oppinion, i'd consider such a behaviour as a bug
violating one of the essential patterns called "delegation".
so much for that, if you'd like to share any information, if this behaviour
within the native wrapper has been changed intentionally and if so, why it
has been changed, i'd really appreciate this. same goes for fhe possibility
if i misconfigured anything.
thanks & best regards
gregor
Re: New jsvc (commons-daemon-native); catalina.out is owned by root
- WTF?
Posted by Mladen Turk <mt...@apache.org>.
On 11/30/2010 07:31 PM, Gregor Schneider wrote:
> Hi guys,
>
> What's really puzzling me, is, that since we upgraded Tomcat,
> catalina.out is not owned by the user specified in $TOMCAT_USER any
> more but is owned by root.
>
Believe it or not, this is intentional and correct behavior.
Almost any server behaves like that.
If we could fork jvm, I'd make sure all log files are root:root.
> Could somebody in this list please explain, either what I'm missing
> here, and also, what's the difference between the two
> native-wrapper-versions?
>
Different naming.
Regards
--
^TM
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: New jsvc (commons-daemon-native); catalina.out is owned by root - WTF?
Posted by Gregor Schneider <rc...@googlemail.com>.
Konstantin,
On Tue, Nov 30, 2010 at 9:42 PM, Konstantin Kolinko
<kn...@gmail.com> wrote:
>
> The above one is tomcat-native, aka Tomcat-Apr,
> a library that provides code for Http11AprProtocol and AjpAprProtocol
> connectors.
>
> This one is commons-daemon, which gives you jsvc.
>
> http://commons.apache.org/daemon/jsvc.html
>
Thanks for pointing me to this - I got mixed up since both contain
"native" within their archive-names.
Thanks!
Gregor
--
just because you're paranoid, don't mean they're not after you...
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available
@ http://pgpkeys.pca.dfn.de:11371
@ http://pgp.mit.edu:11371/
skype:rc46fi
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: New jsvc (commons-daemon-native); catalina.out is owned by root - WTF?
Posted by Konstantin Kolinko <kn...@gmail.com>.
2010/11/30 Gregor Schneider <rc...@googlemail.com>:
> Well, in the old version, there was the archive "tomcat-native.tar.gz"
> containing the sources for the native wrapper.
The above one is tomcat-native, aka Tomcat-Apr,
a library that provides code for Http11AprProtocol and AjpAprProtocol
connectors.
http://tomcat.apache.org/native-doc/
http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
> Now, with Tomcat 5.5.31, there's a new archive
> "commons-daemon-native.tar.gz", which also contains the native wrapper
> sources - however, the old one is also coming with the
> 5.5.31-distribution.
This one is commons-daemon, which gives you jsvc.
http://commons.apache.org/daemon/jsvc.html
>
> Any hints very much appreciated!
>
I do not really know what caused the issue that you are observing. You
may look at the commons-daemon sources, changelog and ask/search on
their mailing list
(I do not see a changelog in their docs. Here is a JIRA link:
https://issues.apache.org/jira/browse/DAEMON?report=com.atlassian.jira.plugin.system.project:changelog-panel
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org