Changing tomcat's group

[Aria Bamdad <AR...@biostat.bsc.gwu.edu>]

Hi,

I have several applications running in different directories.  Each
application is owned by a different linux owner/group.  In order for
Tomcat to be able to read these files to serve them, the Tomcat has
as it's secondary groups, the group names of each application.

The problem I am having is that when any of the applications create
a file, the file created has the owner/group tomcat:tomcat which
prevents the application owner from accessing the file directly
(as a logged in linux user).

How do others address this problem? Is there a way to have Tomcat
dynamically switch 'group' before serving somthing from each application?

Thanks in advance.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Changing tomcat's group [OT]

[Bob Hall <rf...@yahoo.com>]

--- Eric Haszlakiewicz <er...@swapsimple.com> wrote:

> On Thu, Apr 27, 2006 at 04:55:40PM -0400, Aria
> Bamdad wrote:
> > I have several applications running in different
> directories.  Each
> > application is owned by a different linux
> owner/group.  In order for
> > Tomcat to be able to read these files to serve
> them, the Tomcat has
> > as it's secondary groups, the group names of each
> application.
> > 
> > The problem I am having is that when any of the
> applications create
> > a file, the file created has the owner/group
> tomcat:tomcat which
> > prevents the application owner from accessing the
> file directly
> > (as a logged in linux user).
> > 
> > How do others address this problem? Is there a way
> to have Tomcat
> > dynamically switch 'group' before serving somthing
> from each application?
> 
> 	If the files are in separate directories, it might
> work to just
> make sure the directory is owned by the appropriate
> group.  Under NetBSD
> that seems to ensure that any files created are
> owned appropriately,
> but I'm not sure how it works under linux.  You
> might need to do a
> "chmod g+s" on the directory.
> 
> eric
> 
> 

How about making each application owner a member
of the 'tomcat' group.

Then set the group permissions as read-only on
the dirs/files:

$ chmod -R g-w <app-dir>

If you want to share the ability to write to
a given app's dirs/files then you need to do more:

# allow members of tomcat group to write
$ chmod -R g+w <app-dir>

# set group "sticky-bit"
$ find . -type d | xargs chmod -R g+s <app-dir>

You'll also need to somehow require that all
app owners set their umask to 002 so that files
and dirs created by them in the tomcat group app
dirs are writeable by other tomcat group members.

$ umask 002

Overall, it's much simpler if the app owners
only have read rights.

-Bob

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Changing tomcat's group

[Eric Haszlakiewicz <er...@swapsimple.com>]

On Thu, Apr 27, 2006 at 04:55:40PM -0400, Aria Bamdad wrote:
> I have several applications running in different directories.  Each
> application is owned by a different linux owner/group.  In order for
> Tomcat to be able to read these files to serve them, the Tomcat has
> as it's secondary groups, the group names of each application.
> 
> The problem I am having is that when any of the applications create
> a file, the file created has the owner/group tomcat:tomcat which
> prevents the application owner from accessing the file directly
> (as a logged in linux user).
> 
> How do others address this problem? Is there a way to have Tomcat
> dynamically switch 'group' before serving somthing from each application?

	If the files are in separate directories, it might work to just
make sure the directory is owned by the appropriate group.  Under NetBSD
that seems to ensure that any files created are owned appropriately,
but I'm not sure how it works under linux.  You might need to do a
"chmod g+s" on the directory.

eric

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org