Shawn, On 10/12/20 15:59, Beard, Shawn wrote: > Tomcat 9.0.31.0 loads a org.apache.catalina.security.SecurityListener by > default in the catalina.sh file.
This comes from server.xml, and it's not "on" by default. > This SecurityListener also sets the UMASK of files to 0027. This has the > effect of any file tomcat creates or the app running in tomcat creates > with permissions or -rw-r----- This is untrue: SecurityListener does not set any umask (nor can it). It simply checks the effective umask (as passed into the JVM as a system property) against a configured minimum. > This is causing a problem for us as it prevents certain people from > being able to read log files or read any file the application might > create. Putting these users in the group of the user that tomcat runs as > is not an option. :( > I’ve tried changing the catalina.sh to set the UMASK to something like > 0022 but that prevents tomcat from starting with an error that it has to > me at least as restrictive as 0027. Do not change catalina.sh. Instead, use $CATALINA_BASE/setenv.sh to set the UMASK environment variable (which should work). > I’ve also tried setting the UMASK to 0022 in the setenv.sh with same > results. Good. Well, not good. But I mean, good that you are using setenv.sh. > I’m hesitant to comment out the loading of the security listener in > catalina.sh as I don’t want to disable anything else important that it > may be doing from a security standpoint. It's verifying the minimum umask and that you aren't running as any of the configured OS usernames (default: "root"). I suspect if you disable the SecurityListener you will find that nothing changesL: your umask will still be ignored for some reason. > Does anyone have any ideas as to a workaround? How are you launching Tomcat? -chris --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
