Permissions of File Created by Tomcat

[Daniel J Hulme <dj...@gmail.com>]

Hi,

I'm running a WebService using Tomcat 5.5 on Ubuntu 7.10 with Axis2.

Files (and directories) are created by this service on a local directory:

/myfiles/

The permission of the new directories and files in this directory are:

Directories: 		'drwxr-xr-x 2 tomcat55 nogroup  4096'
Files:			'-rw-r--r-- 1 tomcat55 nogroup 10041'

The problem is, is I want to access (write) these files using, say, a java
application, it give me:

 java.io.FileNotFoundException: /myfiles/aDir/aFile.txt (Permission denied)

How can I either:

1.Gain write access to these files (without having to constantly change the
permissions in the command prompt, and without running my java application
with 'root' access).

2.Create the files/dirs from tomcat with 'write access'

3.Other....

Thanking you in advance.

Daniel
-- 
View this message in context: http://www.nabble.com/Permissions-of-File-Created-by-Tomcat-tp16792720p16792720.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Permissions of File Created by Tomcat

[Daniel J Hulme <dj...@gmail.com>]

SORTED!

Thanks Alan. In the end I created a new user, and I'm running tomcat and my
java app with this new user.

Thanks again, you've been a great help.

Daniel



Alan Chaney wrote:
> 
> Hi Daniel
> 
> Really the issues are to do with the JVM and linux rather more than 
> tomcat directly. I can't claim to be a linux guru but you should look at 
> it in the following way Any application which runs on linux is 'owned' 
> by a user. There two classifications - 'system' users and 'normal' 
> users. System users have UIDs which are less than 1024 and can invoke 
> privileged services. 'root' is a system (privileged) user.
> 
> One issue which often seems to confuse people is that the JVM is a 
> program not an operating system. When you 'run tomcat' you are actually 
> invoking java on the tomcat bootstrap.jar. See the javadocs 
> http://tomcat.apache.org/tomcat-6.0-doc/api/index.html for more details.
> 
> My point here is that java is 'just another program' to linux, and all 
> the permissions rules apply to the user invoking an application. You say 
> that tomcat is now running as root (which is a BAD THING) which implies 
> that you are:
> 
> a. logging in as root and starting tomcat
> OR
> b. letting tomcat be started by a sys init process.
> 
> One decision you must make is whether or not tomcat should be allowed to 
> access privileged ports (eg port 80)
> If so, then you should start tomcat using something like jsvc (see 
> http://commons.apache.org/daemon/index.html)
> which when properly configured will allow you to start an app as root, 
> bind tomcat to port 80 and then switch to a 'tomcat' user. You can set 
> umask permissions as appropriate in the startup script.
> 
> If you intend to run tomcat with its default port of 8080 (or any 
> non-privileged port) things are a bit simpler. Create a user on your 
> system (maybe 'mytomcat') and then simply start the tomcat 
> ./bin/startup.sh as this user by something like:
> 
> su mytomcat -c $JAVA_HOME/bin/startup.sh
> 
> from within the init script.
> 
> You can, of course, su to the user you are running the other java 
> program as, then tomcat and your app will have the same user privileges 
> - or you can create a tomcat group, make this the main group for your 
> tomcat user, add it as another group to your 'application' user and set 
> the appropriate umask (002) to allow group read/write (you must also set 
> the directory permissions accordingly - set the 's' bit)
> 
> Please note that these are only pointers not a rigorous set of 
> instructions. The reality is that if you want to do anything serious in 
> linux you must learn ins and outs of 'bash' and this list is not really 
> the place to do that.
> 
> HTH
> 
> Alan
> 
> 
> Daniel J Hulme wrote:
>> Alan, this is very useful, thank you.
>>
>> After a bit of Googling I decided to upgrade to Tomcat6 (apparently is
>> has
>> less security ussies with Ubuntu). This means that the files/dirs are now
>> created (from the tomcat app) by 'root:root' (with the same permissions
>> described in my first post).
>>
>> However, I still have the same problem. I'm running a java progam (not as
>> 'root'), and need write access to these files. And I'm not allowed to run
>> my
>> java app as 'root'.
>>
>> I'm pretty new to linux, so your help (i.e. command examples) is much
>> appreciated.
>>
>> Daniel
>>
>>
>>
>> Alan Chaney wrote:
>>   
>>> This is really a linux permissions issue.
>>>
>>> How are you starting tomcat? with the $TOMCAT_HOME/bin/startup.sh or 
>>> with jsvc or are you using an ubuntu startup script?
>>>
>>> You don't say anything about the user who will run the java application.
>>>
>>> Generally, the way to control the access permissions with which files 
>>> are created in linux is to call 'umask' with the correct parameters. As 
>>> mentioned before on this list umask is a shell command, so you must do 
>>> it at the correct point or severely weaken the overall security of your 
>>> installation.
>>>
>>> You need to do the following:
>>>
>>> 1. decide which user or users will be executing tomcat and the java 
>>> application.
>>> 2. If you decide that you need to have two separate users, then make 
>>> them both in the same group.
>>> 3. Use umask in the tomcat startup script and/or the shell in which you 
>>> run your application to set appropriate access permissions - GIYF
>>>
>>> As an aside, if you are going to have two different processes writing 
>>> these shared files you may also have to consider locking issues - maybe 
>>> you have already done this.
>>>
>>> Regards
>>>
>>> Alan Chaney
>>>
>>>
>>>
>>>
>>>
>>>
>>> Daniel J Hulme wrote:
>>>     
>>>> Hi,
>>>>
>>>> I'm running a WebService using Tomcat 5.5 on Ubuntu 7.10 with Axis2.
>>>>
>>>> Files (and directories) are created by this service on a local
>>>> directory:
>>>>
>>>> /myfiles/
>>>>
>>>> The permission of the new directories and files in this directory are:
>>>>
>>>> Directories: 		'drwxr-xr-x 2 tomcat55 nogroup  4096'
>>>> Files:			'-rw-r--r-- 1 tomcat55 nogroup 10041'
>>>>
>>>> The problem is, is I want to access (write) these files using, say, a
>>>> java
>>>> application, it give me:
>>>>
>>>>  java.io.FileNotFoundException: /myfiles/aDir/aFile.txt (Permission
>>>> denied)
>>>>
>>>> How can I either:
>>>>
>>>> 1.Gain write access to these files (without having to constantly change
>>>> the
>>>> permissions in the command prompt, and without running my java
>>>> application
>>>> with 'root' access).
>>>>
>>>> 2.Create the files/dirs from tomcat with 'write access'
>>>>
>>>> 3.Other....
>>>>
>>>> Thanking you in advance.
>>>>
>>>> Daniel
>>>>   
>>>>       
>>> ---------------------------------------------------------------------
>>> To start a new topic, e-mail: users@tomcat.apache.org
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>>
>>>     
>>
>>   
> 
> 
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> 

-- 
View this message in context: http://www.nabble.com/Permissions-of-File-Created-by-Tomcat-tp16792720p16800534.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Permissions of File Created by Tomcat

[Alan Chaney <al...@compulsivecreative.com>]

Hi Daniel

Really the issues are to do with the JVM and linux rather more than 
tomcat directly. I can't claim to be a linux guru but you should look at 
it in the following way Any application which runs on linux is 'owned' 
by a user. There two classifications - 'system' users and 'normal' 
users. System users have UIDs which are less than 1024 and can invoke 
privileged services. 'root' is a system (privileged) user.

One issue which often seems to confuse people is that the JVM is a 
program not an operating system. When you 'run tomcat' you are actually 
invoking java on the tomcat bootstrap.jar. See the javadocs 
http://tomcat.apache.org/tomcat-6.0-doc/api/index.html for more details.

My point here is that java is 'just another program' to linux, and all 
the permissions rules apply to the user invoking an application. You say 
that tomcat is now running as root (which is a BAD THING) which implies 
that you are:

a. logging in as root and starting tomcat
OR
b. letting tomcat be started by a sys init process.

One decision you must make is whether or not tomcat should be allowed to 
access privileged ports (eg port 80)
If so, then you should start tomcat using something like jsvc (see 
http://commons.apache.org/daemon/index.html)
which when properly configured will allow you to start an app as root, 
bind tomcat to port 80 and then switch to a 'tomcat' user. You can set 
umask permissions as appropriate in the startup script.

If you intend to run tomcat with its default port of 8080 (or any 
non-privileged port) things are a bit simpler. Create a user on your 
system (maybe 'mytomcat') and then simply start the tomcat 
./bin/startup.sh as this user by something like:

su mytomcat -c $JAVA_HOME/bin/startup.sh

from within the init script.

You can, of course, su to the user you are running the other java 
program as, then tomcat and your app will have the same user privileges 
- or you can create a tomcat group, make this the main group for your 
tomcat user, add it as another group to your 'application' user and set 
the appropriate umask (002) to allow group read/write (you must also set 
the directory permissions accordingly - set the 's' bit)

Please note that these are only pointers not a rigorous set of 
instructions. The reality is that if you want to do anything serious in 
linux you must learn ins and outs of 'bash' and this list is not really 
the place to do that.

HTH

Alan


Daniel J Hulme wrote:
> Alan, this is very useful, thank you.
>
> After a bit of Googling I decided to upgrade to Tomcat6 (apparently is has
> less security ussies with Ubuntu). This means that the files/dirs are now
> created (from the tomcat app) by 'root:root' (with the same permissions
> described in my first post).
>
> However, I still have the same problem. I'm running a java progam (not as
> 'root'), and need write access to these files. And I'm not allowed to run my
> java app as 'root'.
>
> I'm pretty new to linux, so your help (i.e. command examples) is much
> appreciated.
>
> Daniel
>
>
>
> Alan Chaney wrote:
>   
>> This is really a linux permissions issue.
>>
>> How are you starting tomcat? with the $TOMCAT_HOME/bin/startup.sh or 
>> with jsvc or are you using an ubuntu startup script?
>>
>> You don't say anything about the user who will run the java application.
>>
>> Generally, the way to control the access permissions with which files 
>> are created in linux is to call 'umask' with the correct parameters. As 
>> mentioned before on this list umask is a shell command, so you must do 
>> it at the correct point or severely weaken the overall security of your 
>> installation.
>>
>> You need to do the following:
>>
>> 1. decide which user or users will be executing tomcat and the java 
>> application.
>> 2. If you decide that you need to have two separate users, then make 
>> them both in the same group.
>> 3. Use umask in the tomcat startup script and/or the shell in which you 
>> run your application to set appropriate access permissions - GIYF
>>
>> As an aside, if you are going to have two different processes writing 
>> these shared files you may also have to consider locking issues - maybe 
>> you have already done this.
>>
>> Regards
>>
>> Alan Chaney
>>
>>
>>
>>
>>
>>
>> Daniel J Hulme wrote:
>>     
>>> Hi,
>>>
>>> I'm running a WebService using Tomcat 5.5 on Ubuntu 7.10 with Axis2.
>>>
>>> Files (and directories) are created by this service on a local directory:
>>>
>>> /myfiles/
>>>
>>> The permission of the new directories and files in this directory are:
>>>
>>> Directories: 		'drwxr-xr-x 2 tomcat55 nogroup  4096'
>>> Files:			'-rw-r--r-- 1 tomcat55 nogroup 10041'
>>>
>>> The problem is, is I want to access (write) these files using, say, a
>>> java
>>> application, it give me:
>>>
>>>  java.io.FileNotFoundException: /myfiles/aDir/aFile.txt (Permission
>>> denied)
>>>
>>> How can I either:
>>>
>>> 1.Gain write access to these files (without having to constantly change
>>> the
>>> permissions in the command prompt, and without running my java
>>> application
>>> with 'root' access).
>>>
>>> 2.Create the files/dirs from tomcat with 'write access'
>>>
>>> 3.Other....
>>>
>>> Thanking you in advance.
>>>
>>> Daniel
>>>   
>>>       
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>>     
>
>   


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Permissions of File Created by Tomcat

[Daniel J Hulme <dj...@gmail.com>]

Alan, this is very useful, thank you.

After a bit of Googling I decided to upgrade to Tomcat6 (apparently is has
less security ussies with Ubuntu). This means that the files/dirs are now
created (from the tomcat app) by 'root:root' (with the same permissions
described in my first post).

However, I still have the same problem. I'm running a java progam (not as
'root'), and need write access to these files. And I'm not allowed to run my
java app as 'root'.

I'm pretty new to linux, so your help (i.e. command examples) is much
appreciated.

Daniel



Alan Chaney wrote:
> 
> This is really a linux permissions issue.
> 
> How are you starting tomcat? with the $TOMCAT_HOME/bin/startup.sh or 
> with jsvc or are you using an ubuntu startup script?
> 
> You don't say anything about the user who will run the java application.
> 
> Generally, the way to control the access permissions with which files 
> are created in linux is to call 'umask' with the correct parameters. As 
> mentioned before on this list umask is a shell command, so you must do 
> it at the correct point or severely weaken the overall security of your 
> installation.
> 
> You need to do the following:
> 
> 1. decide which user or users will be executing tomcat and the java 
> application.
> 2. If you decide that you need to have two separate users, then make 
> them both in the same group.
> 3. Use umask in the tomcat startup script and/or the shell in which you 
> run your application to set appropriate access permissions - GIYF
> 
> As an aside, if you are going to have two different processes writing 
> these shared files you may also have to consider locking issues - maybe 
> you have already done this.
> 
> Regards
> 
> Alan Chaney
> 
> 
> 
> 
> 
> 
> Daniel J Hulme wrote:
>> Hi,
>>
>> I'm running a WebService using Tomcat 5.5 on Ubuntu 7.10 with Axis2.
>>
>> Files (and directories) are created by this service on a local directory:
>>
>> /myfiles/
>>
>> The permission of the new directories and files in this directory are:
>>
>> Directories: 		'drwxr-xr-x 2 tomcat55 nogroup  4096'
>> Files:			'-rw-r--r-- 1 tomcat55 nogroup 10041'
>>
>> The problem is, is I want to access (write) these files using, say, a
>> java
>> application, it give me:
>>
>>  java.io.FileNotFoundException: /myfiles/aDir/aFile.txt (Permission
>> denied)
>>
>> How can I either:
>>
>> 1.Gain write access to these files (without having to constantly change
>> the
>> permissions in the command prompt, and without running my java
>> application
>> with 'root' access).
>>
>> 2.Create the files/dirs from tomcat with 'write access'
>>
>> 3.Other....
>>
>> Thanking you in advance.
>>
>> Daniel
>>   
> 
> 
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> 

-- 
View this message in context: http://www.nabble.com/Permissions-of-File-Created-by-Tomcat-tp16792720p16795633.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Permissions of File Created by Tomcat

[Alan Chaney <al...@compulsivecreative.com>]

This is really a linux permissions issue.

How are you starting tomcat? with the $TOMCAT_HOME/bin/startup.sh or 
with jsvc or are you using an ubuntu startup script?

You don't say anything about the user who will run the java application.

Generally, the way to control the access permissions with which files 
are created in linux is to call 'umask' with the correct parameters. As 
mentioned before on this list umask is a shell command, so you must do 
it at the correct point or severely weaken the overall security of your 
installation.

You need to do the following:

1. decide which user or users will be executing tomcat and the java 
application.
2. If you decide that you need to have two separate users, then make 
them both in the same group.
3. Use umask in the tomcat startup script and/or the shell in which you 
run your application to set appropriate access permissions - GIYF

As an aside, if you are going to have two different processes writing 
these shared files you may also have to consider locking issues - maybe 
you have already done this.

Regards

Alan Chaney






Daniel J Hulme wrote:
> Hi,
>
> I'm running a WebService using Tomcat 5.5 on Ubuntu 7.10 with Axis2.
>
> Files (and directories) are created by this service on a local directory:
>
> /myfiles/
>
> The permission of the new directories and files in this directory are:
>
> Directories: 		'drwxr-xr-x 2 tomcat55 nogroup  4096'
> Files:			'-rw-r--r-- 1 tomcat55 nogroup 10041'
>
> The problem is, is I want to access (write) these files using, say, a java
> application, it give me:
>
>  java.io.FileNotFoundException: /myfiles/aDir/aFile.txt (Permission denied)
>
> How can I either:
>
> 1.Gain write access to these files (without having to constantly change the
> permissions in the command prompt, and without running my java application
> with 'root' access).
>
> 2.Create the files/dirs from tomcat with 'write access'
>
> 3.Other....
>
> Thanking you in advance.
>
> Daniel
>   


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org