You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Udam Dewaraja <ud...@gmail.com> on 2012/09/06 19:50:30 UTC

Tomcat running with a shared unix group but unable to read files with group permissions

Hi all,

I'm stumped on a seemingly java/tomcat related issue and am hoping someone
can provide some help.


We have two users ('user1' and 'user2') on our linux server that share the
same group ('group1'). User 'user1' writes some files that have the
following permissions:

-rw-r----- 1 user1 group1  788 Sep  5 19:42 file.log

The folder containing this file has the following permissions:

drwxr-xr--  2 user1 group1  4096 Sep  5 19:42 log


The tomcat web app is launched as user 'user2'. Below is the ps output for
the process. I've also verified that the java web app is running with gid
of the shared group 'group1'.


user2    31920 31919 99 21:30 ?        00:00:36 /usr/local/jre/bin/java
.... org.apache.catalina.startup.Bootstrap start

When the web app tries to read the file, *it gets the following exception*:

java.io.FileNotFoundException: /foo/bar/data/log/file.log (Permission
denied)
at java.io.RandomAccessFile.open(Native Method)
at java.io.RandomAccessFile.<init>(RandomAccessFile.java:233)
at java.io.RandomAccessFile.<init>(RandomAccessFile.java:118)
        …
at java.lang.Thread.run(Thread.java:679)


However, while logged in as 'user2', I can run a simple
cat /foo/bar/data/log/file.log and* I can read the contents of the file*.

Also, if I provide 'other' read permissions to the file (e.g. -rw-r--r--
1 user1 group1  788 Sep  5 19:42 file.log), *the web app is able to read
the file*.

If I write a sample java application that tries to read this file and
execute it while logged in as 'user2', again *Java is able to read the file.
*


Tomcat doesn't seem to be using any security policy as far as I can tell.
Any ideas why the group permissions seem to be ignored by tomcat?


Thanks!

Udam

Re: Tomcat running with a shared unix group but unable to read files with group permissions

Posted by Udam Dewaraja <ud...@gmail.com>.

In my code, the RandomAccess file is trying to do a read (code below).
That's why all my tests are doing reads.

logFile = new RandomAccessFile(fileToRead, "r");

The sample java application I ran executes the exact same line above (with
the same file) and reads the contents correctly. However, in Tomcat webapp,
this fails.

Thanks,
Udam

On Thu, Sep 6, 2012 at 1:15 PM, André Warnier <aw...@ice-sa.com> wrote:

> Udam Dewaraja wrote:
>
>> Hi all,
>>
>> I'm stumped on a seemingly java/tomcat related issue and am hoping someone
>> can provide some help.
>>
>>
>> We have two users ('user1' and 'user2') on our linux server that share the
>> same group ('group1'). User 'user1' writes some files that have the
>> following permissions:
>>
>> -rw-r----- 1 user1 group1  788 Sep  5 19:42 file.log
>>
>> The folder containing this file has the following permissions:
>>
>> drwxr-xr--  2 user1 group1  4096 Sep  5 19:42 log
>>
>>
>> The tomcat web app is launched as user 'user2'. Below is the ps output for
>> the process. I've also verified that the java web app is running with gid
>> of the shared group 'group1'.
>>
>>
>> user2    31920 31919 99 21:30 ?        00:00:36 /usr/local/jre/bin/java
>> .... org.apache.catalina.startup.**Bootstrap start
>>
>> When the web app tries to read the file, *it gets the following
>> exception*:
>>
>>
>> java.io.FileNotFoundException: /foo/bar/data/log/file.log (Permission
>> denied)
>> at java.io.RandomAccessFile.open(**Native Method)
>> at java.io.RandomAccessFile.<**init>(RandomAccessFile.java:**233)
>> at java.io.RandomAccessFile.<**init>(RandomAccessFile.java:**118)
>>         …
>> at java.lang.Thread.run(Thread.**java:679)
>>
>>
>> However, while logged in as 'user2', I can run a simple
>> cat /foo/bar/data/log/file.log and* I can read the contents of the file*.
>>
>>
>> Also, if I provide 'other' read permissions to the file (e.g. -rw-r--r--
>> 1 user1 group1  788 Sep  5 19:42 file.log), *the web app is able to read
>> the file*.
>>
>>
>> If I write a sample java application that tries to read this file and
>> execute it while logged in as 'user2', again *Java is able to read the
>> file.
>>
>> *
>>
>>
>> Tomcat doesn't seem to be using any security policy as far as I can tell.
>> Any ideas why the group permissions seem to be ignored by tomcat?
>>
>>
>>  Nothing to do with Tomcat I think.
> Maybe it is because java.io.RandomAccessFile is a read/write kind of file,
> and the group just has read permission ?
> All your tests involve reading, not writing, and reading is allowed for
> the group.
>
> Google for java.io.RandomAccessFile.
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.org<us...@tomcat.apache.org>
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Re: Tomcat running with a shared unix group but unable to read files with group permissions

Posted by André Warnier <aw...@ice-sa.com>.

Udam Dewaraja wrote:
> Hi all,
> 
> I'm stumped on a seemingly java/tomcat related issue and am hoping someone
> can provide some help.
> 
> 
> We have two users ('user1' and 'user2') on our linux server that share the
> same group ('group1'). User 'user1' writes some files that have the
> following permissions:
> 
> -rw-r----- 1 user1 group1  788 Sep  5 19:42 file.log
> 
> The folder containing this file has the following permissions:
> 
> drwxr-xr--  2 user1 group1  4096 Sep  5 19:42 log
> 
> 
> The tomcat web app is launched as user 'user2'. Below is the ps output for
> the process. I've also verified that the java web app is running with gid
> of the shared group 'group1'.
> 
> 
> user2    31920 31919 99 21:30 ?        00:00:36 /usr/local/jre/bin/java
> .... org.apache.catalina.startup.Bootstrap start
> 
> When the web app tries to read the file, *it gets the following exception*:
> 
> java.io.FileNotFoundException: /foo/bar/data/log/file.log (Permission
> denied)
> at java.io.RandomAccessFile.open(Native Method)
> at java.io.RandomAccessFile.<init>(RandomAccessFile.java:233)
> at java.io.RandomAccessFile.<init>(RandomAccessFile.java:118)
>         …
> at java.lang.Thread.run(Thread.java:679)
> 
> 
> However, while logged in as 'user2', I can run a simple
> cat /foo/bar/data/log/file.log and* I can read the contents of the file*.
> 
> Also, if I provide 'other' read permissions to the file (e.g. -rw-r--r--
> 1 user1 group1  788 Sep  5 19:42 file.log), *the web app is able to read
> the file*.
> 
> If I write a sample java application that tries to read this file and
> execute it while logged in as 'user2', again *Java is able to read the file.
> *
> 
> 
> Tomcat doesn't seem to be using any security policy as far as I can tell.
> Any ideas why the group permissions seem to be ignored by tomcat?
> 
> 
Nothing to do with Tomcat I think.
Maybe it is because java.io.RandomAccessFile is a read/write kind of file, and the group 
just has read permission ?
All your tests involve reading, not writing, and reading is allowed for the group.

Google for java.io.RandomAccessFile.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat running with a shared unix group but unable to read files with group permissions

Posted by Peter Benko <be...@vseit.sk>.

On Thu, Sep 06, 2012 at 10:50:30AM -0700, Udam Dewaraja wrote:
> Hi all,
> 
> I'm stumped on a seemingly java/tomcat related issue and am hoping someone
> can provide some help.
> 
> 
> We have two users ('user1' and 'user2') on our linux server that share the
> same group ('group1'). User 'user1' writes some files that have the
> following permissions:
> 
> -rw-r----- 1 user1 group1  788 Sep  5 19:42 file.log
> 
> The folder containing this file has the following permissions:
> 
> drwxr-xr--  2 user1 group1  4096 Sep  5 19:42 log
> 
> 
> The tomcat web app is launched as user 'user2'. Below is the ps output for
> the process. I've also verified that the java web app is running with gid
> of the shared group 'group1'.
> 
> 
> user2    31920 31919 99 21:30 ?        00:00:36 /usr/local/jre/bin/java
> .... org.apache.catalina.startup.Bootstrap start
> 
> When the web app tries to read the file, *it gets the following exception*:
> 
> java.io.FileNotFoundException: /foo/bar/data/log/file.log (Permission
> denied)
> at java.io.RandomAccessFile.open(Native Method)
> at java.io.RandomAccessFile.<init>(RandomAccessFile.java:233)
> at java.io.RandomAccessFile.<init>(RandomAccessFile.java:118)
>         …
> at java.lang.Thread.run(Thread.java:679)
> 
> 
> However, while logged in as 'user2', I can run a simple
> cat /foo/bar/data/log/file.log and* I can read the contents of the file*.
> 
> Also, if I provide 'other' read permissions to the file (e.g. -rw-r--r--
> 1 user1 group1  788 Sep  5 19:42 file.log), *the web app is able to read
> the file*.
> 
> If I write a sample java application that tries to read this file and
> execute it while logged in as 'user2', again *Java is able to read the file.
> *
> 
> 
> Tomcat doesn't seem to be using any security policy as far as I can tell.
> Any ideas why the group permissions seem to be ignored by tomcat?
> 

Please try to check ulimit (pam) settings in your OS.

-- 
Peter Benko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org