jsvc creates pid file owned by root

[Gunnar Boström <Gu...@tietoenator.com>]

Hi,

I can start and stop Tomcat 5.5 with the jsvc program but the problem is
that the pid file is created with permissions 600 and owned by root.
I want to be able to read the pid file to check if the Tomcat process is up
and running 
and also for other purposes.

Is it possible to make the pid file be owned by the user that runs Tomcat or
have the permissions to be set to 666?

Regards
Gunnar

-- 
View this message in context: http://www.nabble.com/jsvc-creates-pid-file-owned-by-root-tp16606528p16606528.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: jsvc creates pid file owned by root

[fredk2 <fr...@gmail.com>]

Hi,

can you set the umask before you run jsvc ?

Rgds
Fred


Gunnar Boström wrote:
> 
> Hi,
> 
> I can start and stop Tomcat 5.5 with the jsvc program but the problem is
> that the pid file is created with permissions 600 and owned by root.
> I want to be able to read the pid file to check if the Tomcat process is
> up and running 
> and also for other purposes.
> 
> Is it possible to make the pid file be owned by the user that runs Tomcat
> or have the permissions to be set to 666?
> 
> Regards
> Gunnar
> 
> 

-- 
View this message in context: http://www.nabble.com/jsvc-creates-pid-file-owned-by-root-tp16606528p16608805.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: jsvc creates pid file owned by root

[Peter Crowther <Pe...@melandra.com>]

[Mid-post - sorry!]

> From: David Smith [mailto:dns4@cornell.edu]
> Well ... here's the problem.  jsvc needs that pid file to shutdown
> tomcat.  It would be a real PITA if some user or script were to muck
> around and damage or delete that file.
>
> Having said that, most *nix systems have a sticky bit ability to force
> permissions on newly created files in specific folders.  Or you could
> modify your service script to chmod the pid file on startup.

Indeed.  644 might be preferable to 666, I suspect - would at least prevent deletion and alteration!

>
> --David
>
> Gunnar Boström wrote:
>
> >Hi,
> >
> >I can start and stop Tomcat 5.5 with the jsvc program but
> the problem is
> >that the pid file is created with permissions 600 and owned by root.
> >I want to be able to read the pid file to check if the
> Tomcat process is up
> >and running
> >and also for other purposes.
> >
> >Is it possible to make the pid file be owned by the user
> that runs Tomcat or
> >have the permissions to be set to 666?
> >
> >Regards
> >Gunnar
> >
> >
> >
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: jsvc creates pid file owned by root

[David Smith <dn...@cornell.edu>]

Well ... here's the problem.  jsvc needs that pid file to shutdown 
tomcat.  It would be a real PITA if some user or script were to muck 
around and damage or delete that file. 

Having said that, most *nix systems have a sticky bit ability to force 
permissions on newly created files in specific folders.  Or you could 
modify your service script to chmod the pid file on startup.

--David

Gunnar Boström wrote:

>Hi,
>
>I can start and stop Tomcat 5.5 with the jsvc program but the problem is
>that the pid file is created with permissions 600 and owned by root.
>I want to be able to read the pid file to check if the Tomcat process is up
>and running 
>and also for other purposes.
>
>Is it possible to make the pid file be owned by the user that runs Tomcat or
>have the permissions to be set to 666?
>
>Regards
>Gunnar
>
>  
>


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: jsvc creates pid file owned by root

[Alan Chaney <al...@compulsivecreative.com>]

You shouldn't be messing about with the ownership of the PID file. It is 
created by jsvc at startup. If you use jsvc properly it will start as 
root, create the pid file, startup tomcat, allow tomcat to bind to ports 
80 and 443 and then switch to the user specified with -user switch.

When you install jsvc from the version which is part of the tomcat 
distribution it comes with a shell script called 'tomcat'

Here's an (edited) extract from my version.


.....

# Set umask to avoid tomcat making tomcat-users.xml public readable
umask 027  # == 640

PID_FILE=/var/run/jsvc.pid

.....

/usr/lib/tcnative/jsvc \
      -user $TOMCAT_USER \
      -home $JAVA_HOME \
      -Dcatalina.home=$CATALINA_HOME \
      -Dcatalina.base=$CATALINA_BASE \
      -Djava.io.tmpdir=$TMP_DIR \
      -Xmx512m \
      -XX:MaxPermSize=128m \
      -wait 10 \
      -pidfile $PID_FILE \
      -outfile $CATALINA_HOME/logs/catalina.out \
      -errfile '&1' \
      $CATALINA_OPTS \
      -cp $CLASSPATH \
      org.apache.catalina.startup.Bootstrap


....



I set a lot of options in CATALINA_OPTS which are passed to the vm - for 
example my JMX switches, various application configuration properties.

I set the umask to 027 because that makes files read/write for tomcat 
and read-only for the tomcat group and read protected for the rest. This 
was because tomcat re-writes the tomcat-users.xml (which I happen to be 
using for the moment) at start up.


Gunnar Boström wrote:
> Hi,
> Answers to all of you who has responded.
> 
> I would be fine with 644 but I don't know how to set that.
see umask above

> The file is owned by root so I'm not allowed to change it.

> My umask is by default 0022 which should be okay. I tried to set the mask to
> 0000 but no change.
read about linux umask - you need to set it at the right point

> I created a pid file with the correct permissions but as expected jsvc
> ignored it.
You SPECIFY the pid file as a parameter to the startup of jsvc. -pidfile 
as above.

So this is what you do - assuming you are using a startup script like 
the provided 'tomcat':

1. Set an appropriate umask in the startup script
2. Set a pidfile location wherever you need it
3. start up tomcat

EITHER as root by going

./tomcat start


OR

sudo ./tomcat start if you want to stay as a normal logged in user.

You need to have your sudo permissions set of course - but that's 
another longer story.


The whole point of using jsvc is that it allows you to change user from 
a privileged user to a normal user because no-one should run a web 
server as root.

HTH


> 
> I was hoping that there were some undocumented switches in jsvc that I could
> use.
> 
> Regards
> Gunnar
> 
> 

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: jsvc creates pid file owned by root

[Alan Chaney <al...@compulsivecreative.com>]

Hi Chris

Christopher Schultz wrote:
> Are you sure you are changing the umask for the jsvc process? I wonder
> if the umask is being re-set to something else when jsvc elevates itself
> to root. You should ask the commons folks about how to do this with
> jsvc, as this is really off-topic, here (but we'd love to hear the
I posted an answer to this a couple of days ago. I don't think the OP 
quite understands
that 'umask' is a *shell* command. Consequently if you have a shell 
script like 'tomcat' for jsvc or startup.sh
you must set the umask in the shell script because a new shell is 
created each time.

As I posted in my example, I set umask to 027 in my jsvc startup script 
and it works just fine. tomcat starts as root, binds to the ports and 
then switches to the 'tomcat' user. The pid file is owned by root (as it 
should be) and  files created by tomcat are '640' which is what I wanted.

Another point that I think the OP was confused about was that you *must* 
have root permission to bind to system ports in linux - so you must 
either start tomcat as root or with a script invoked by 'sudo'


You can also set umask in /etc/profile which will apply to all users - 
but probably not a good thing to do.

HTH

Alan


> answer for the future).
>
> Good luck,
> - -chris
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkgA6g4ACgkQ9CaO5/Lv0PBGTwCeM+4lBoXTnwzHkeirmROqWfuC
> co8AoJIEHbsD5gzfQxM8XNpwOeqrSdKf
> =euMt
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
> !DSPAM:4800eac534083966023671!
>


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: jsvc creates pid file owned by root

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gunnar,

Gunnar Boström wrote:
| I would be fine with 644 but I don't know how to set that.
| The file is owned by root so I'm not allowed to change it.
| My umask is by default 0022 which should be okay. I tried to set the
mask to
| 0000 but no change.

Are you sure you are changing the umask for the jsvc process? I wonder
if the umask is being re-set to something else when jsvc elevates itself
to root. You should ask the commons folks about how to do this with
jsvc, as this is really off-topic, here (but we'd love to hear the
answer for the future).

Good luck,
- -chris

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkgA6g4ACgkQ9CaO5/Lv0PBGTwCeM+4lBoXTnwzHkeirmROqWfuC
co8AoJIEHbsD5gzfQxM8XNpwOeqrSdKf
=euMt
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: jsvc creates pid file owned by root

[Gunnar Boström <Gu...@tietoenator.com>]

Hi,
Answers to all of you who has responded.

I would be fine with 644 but I don't know how to set that.
The file is owned by root so I'm not allowed to change it.
My umask is by default 0022 which should be okay. I tried to set the mask to
0000 but no change.
I created a pid file with the correct permissions but as expected jsvc
ignored it.

I was hoping that there were some undocumented switches in jsvc that I could
use.

Regards
Gunnar


-- 
View this message in context: http://www.nabble.com/jsvc-creates-pid-file-owned-by-root-tp16606528p16626038.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: jsvc creates pid file owned by root

["Mark H. Wood" <mw...@IUPUI.Edu>]

Do you *really* want that file to be world-writable?  Why not 644?

-- 
Mark H. Wood, Lead System Programmer   mwood@IUPUI.Edu
Typically when a software vendor says that a product is "intuitive" he
means the exact opposite.