On Thu, Dec 03, 2015 at 10:42:40AM -0300, Andres Riancho wrote: > List, > > I'm trying to secure my tomcat instances. One of the steps I took > was to run the tomcat process using the non-privileged "tomcat" user, > and set the file system permissions as restrictive as possible. It all > works well, but there is something missing: "The tomcat user is able > to read the access log files": > > root@7083cdc8e2fc:/apps/tomcat/logs# ls -la > ... > -rw-rw---- 1 tomcat tomcat 0 Dec 1 19:46 > 0.0.0.0_access_log.2015-12-01.txt
One fancier approach would be to configure a log sink which passes records to another process through a socket -- syslog, for example. There are syslog Handler implementations for java.util.logging, or you could cook up a custom log recorder to receive from the stock j.u.l.SocketHandler, or you could configure Tomcat to use slf4j/logback and its syslog appender. This will not be simple but it will be quite adaptable. You should probably look at simpler methods first. > Is there any way to configure tomcat to be able to write to the > access log file, but have the file owned by root with permissions 600? > I understand that this is done by starting the tomcat process as root > and then dropping privileges using setuid() , but was unable to find > something already built / well documented. That is what the Commons Daemon tool (jsvc) is for. That should be a lot simpler. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu
signature.asc
Description: Digital signature
