You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2011/07/01 19:29:33 UTC
DO NOT REPLY [Bug 51463] New: Tomcat.setBaseDir (package
org.apache.catalina.startup) should use temp directory as default instead of
current directory
https://issues.apache.org/bugzilla/show_bug.cgi?id=51463
Bug #: 51463
Summary: Tomcat.setBaseDir (package
org.apache.catalina.startup) should use temp
directory as default instead of current directory
Product: Tomcat 7
Version: trunk
Platform: All
OS/Version: All
Status: NEW
Severity: minor
Priority: P2
Component: Catalina
AssignedTo: dev@tomcat.apache.org
ReportedBy: business2008+issues.apache.org@rodneybeede.com
Classification: Unclassified
Currently the JavaDoc for the Tomcat.setBaseDir method states:
* Tomcat needs a directory for temp files. This should be the
* first method called.
*
* By default, if this method is not called, we use:
* - system properties - catalina.base, catalina.home
* - $HOME/tomcat.$PORT
* ( /tmp doesn't seem a good choice for security ).
*
*
* TODO: better default ? Maybe current dir ?
* TODO: disable work dir if not needed ( no jsp, etc ).
----------------
The temporary directory of the system as per "java.io.tmpdir"
(System.getProperties()) should be used. Use of the current directory
("user.dir") as a default isn't really anymore secure since the current working
directory may or may not be locked down anyway (ex: many Linux systems default
to user directories being browsable by others).
Java 7 will have support in the NIO packages for creating files with
permissions at the outset. For older Java versions there isn't a nice work
around other than things that would call platform specific external commands.
Perhaps if catalina.base & catalina.home are not found then check to see if
native JNI calls, system exec calls, or Java 7 calls could be made to create
the directory structure in the java.io.tmpdir directory. If not throw a
SecureTempDirectoryUnavailableException with JavaDoc or an error message
stating that one way to handle the problem is to call setBaseDir on a directory
the programmer can trust.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 51463] Tomcat.setBaseDir (package
org.apache.catalina.startup) should use temp directory as default instead of
current directory
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51463
--- Comment #3 from Rodney Beede <bu...@rodneybeede.com> 2011-07-01 18:41:38 UTC ---
Will Tomcat 8 require Java 7 or later or still have to support Java 6. Any
idea when Tomcat will require Java 7 or later?
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 51463] Tomcat.setBaseDir (package
org.apache.catalina.startup) should use temp directory as default instead of
current directory
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51463
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Severity|minor |enhancement
--- Comment #1 from Mark Thomas <ma...@apache.org> 2011-07-01 18:31:32 UTC ---
Java 7 doesn't help since Tomcat 7 must run on Java 6.
System.exec calls are incredibly fragile since they rely on correct OS
detection.
JNI requires a native library which (obviously) needs to be built for every
platform and adds a lot of overhead for relatively little benefit.
The current fall-back of using the user's home directory isn't great but it is
no worse (and may be slightly better) than using java.io.tmp.
Forcing basedir to be set and not starting if it isn't set is probably the best
option but that is something that probably needs to wait until Tomcat 8 since
changing this now is likely to lead to some unpleasant surprises for current
users.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 51463] Tomcat.setBaseDir (package
org.apache.catalina.startup) should use temp directory as default instead of
current directory
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51463
Ian Brandt <ia...@ianbrandt.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |ian@ianbrandt.com
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 51463] Tomcat.setBaseDir (package
org.apache.catalina.startup) should use temp directory as default instead of
current directory
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51463
Rodney Beede <bu...@rodneybeede.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |business2008+issues.apache.
| |org@rodneybeede.com
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 51463] Tomcat.setBaseDir (package
org.apache.catalina.startup) should use temp directory as default instead of
current directory
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51463
--- Comment #4 from Mark Thomas <ma...@apache.org> 2011-07-01 18:52:23 UTC ---
My guess is that the next version of the Servlet spec (i.e. what Tomcat 8 will
implement) will require Java 7.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 51463] Tomcat.setBaseDir (package
org.apache.catalina.startup) should use temp directory as default instead of
current directory
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51463
--- Comment #2 from Rodney Beede <bu...@rodneybeede.com> 2011-07-01 18:41:03 UTC ---
Agreed.
(In reply to comment #1)
> Java 7 doesn't help since Tomcat 7 must run on Java 6.
>
> System.exec calls are incredibly fragile since they rely on correct OS
> detection.
>
> JNI requires a native library which (obviously) needs to be built for every
> platform and adds a lot of overhead for relatively little benefit.
>
> The current fall-back of using the user's home directory isn't great but it is
> no worse (and may be slightly better) than using java.io.tmp.
>
> Forcing basedir to be set and not starting if it isn't set is probably the best
> option but that is something that probably needs to wait until Tomcat 8 since
> changing this now is likely to lead to some unpleasant surprises for current
> users.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org