--- Aria Bamdad <[EMAIL PROTECTED]> wrote: > On Thu, 27 Apr 2006 20:09:44 -0700 (PDT) Bob Hall > said: > > > >How about making each application owner a member > >of the 'tomcat' group. > > Bob, making each app owner a member of the tomcat > group will allow different > app owners to look at each other's files. For > security, I need to keep each > applications files secure from the other. So, I > can't add each owner to the > tomcat group. Even so, the application owner needs > to have read/write access > to the files created which makes matters more > complicated. > > What I need is to either have tomcat create the > files using the appropriate > group by maybe having tomcat do a 'newgrp' before > executing an application > request. Is this possible? Is there a way to do a > post- or pre- script > before running a request in tomcat? > > Thanks. > Aria. > >
The 'newgrp' command starts another shell within the current one, whcich won't work AFAIK. However, you should still be able to accomplish what you want. - For each app-dir - # 1. Ensure all files/dirs have correct owner & group: $ chown -R <app-owner> <app-dir> $ chgrp -R <app-owner-group> <app-dir> # 2. Ensure all file/dirs are group writeable: $ chmod -R g+w <app-dir> # 3. Set group "sticky-bit" for app's dirs: $ find . -type d | xargs chmod -R g+s <app-dir> Step 3 should force all files/dirs created in an <app-dir> to have the specified <app-owner-grp>. This will allow an app-owner full access to files created by the tomcat user. You'll also need to require that all app owner accounts have their umask set to 002. Otherwise an app-owner account could create a file that would be read-only for the tomcat user which might produce problems when running Tomcat. ($ umask 002) -Bob __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
