To me, it appears as false problem. I don't see why the change to the permissions on the log file is so critical for the security. You can simply set appropriately the permissions on the directory where the log files are written if you don't want anyone to look at them. You can use ACL if your OS support them. You can use umask to change the default behavior.
If security of log files is critical for your application, you should take time to design the logging appropriately and don't expect someone else to take care of all your concerns for you. ----------------- Daniel Savard 2016-08-05 7:24 GMT-04:00 André Warnier (tomcat) <a...@ice-sa.com>: > Hi. > > On 05.08.2016 08:00, 韭菜 wrote: > >> Definitely a bad idea to relax the default permissions back to where they >>> were. If you want to expose your own system to abuse, you can set umask as >>> documented in the changelog. >>> >> Is there a way to like config some param to force tomcat write logs in >> old way ?and could you please give me a doc url about how set umask for >> tomcat run user ? >> >> > You might want to start here : > > http://lmgtfy.com/?q=linux+umask+command > > Then, you may need to find out which command or shell script, *on your > Linux system*, is starting Tomcat, and insert the desired umask command > there. > > But please consider the remarks made previously by Chuck. > Logfiles may contain information which you do not want to disclose to > other than a system administrator. By making these files widely readable, > you weaken the security of your whole server and perhaps much more. > > Be aware also, that by setting the umask for the Tomcat process, you are > influencing the permissions of *any* file which Tomcat itself, or any > Tomcat webapp would create. > > > >> >> >> ------------------ Original ------------------ >> From: "Caldarale, Charles R"<chuck.caldar...@unisys.com>; >> Date: 2016年8月5日(星期五) 中午12:25 >> To: "Tomcat Users List"<users@tomcat.apache.org>; >> Subject: RE: tomat8.5 write logs with incorret os permission >> >> >> >> From: 韭菜 [mailto:jiu...@qq.com] >>> Subject: tomat8.5 write logs with incorret os permission >>> >> >> When using tomcat8.0, it starts and write logs as follows: >>> (apache-tomcat-8.0.x) -rw-rw-r-- 1 app app 873710 Aug 4 20:08 >>> catalina.log >>> When using tomcat8.5.x (include tomcat 9.0.x), it starts and write logs >>> as follows: >>> (apache-tomcat-8.5.4) -rw-r----- 1 app app 100824 Aug 4 20:10 >>> catalina.log >>> >> >> A highly appropriate change, much needed to prevent untrusted users from >> accessing private information in the log. >> >> So, tomcat8.5 caused other os users can not read its logs and webapps >>> logs that deployed >>> at tomcat8.5. the logs files should has permission 664, not 640. >>> >> >> Definitely not a good idea. >> >> I thinks it is not good for java webapp devlopers , when my web app >>> write logs as >>> data log, the logs files can not rsync by other users and hosts. >>> >> >> As it should be. >> >> but it works at tomcat7.0.x and tomcat8.0.x >>> >> >> "Works" is your definition; any site interested at all in secure >> operations would consider the old permissions to be dangerous and broken. >> >> So I asked users to require further support for tomcat8.x write log files >>> feature. >>> >> >> Definitely a bad idea to relax the default permissions back to where they >> were. If you want to expose your own system to abuse, you can set umask as >> documented in the changelog. >> >> - Chuck >> >> >> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY >> MATERIAL and is thus for use only by the intended recipient. If you >> received this in error, please contact the sender and delete the e-mail and >> its attachments from all computers. >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
