Hi Daniel
Really the issues are to do with the JVM and linux rather more than
tomcat directly. I can't claim to be a linux guru but you should look at
it in the following way Any application which runs on linux is 'owned'
by a user. There two classifications - 'system' users and 'normal'
users. System users have UIDs which are less than 1024 and can invoke
privileged services. 'root' is a system (privileged) user.
One issue which often seems to confuse people is that the JVM is a
program not an operating system. When you 'run tomcat' you are actually
invoking java on the tomcat bootstrap.jar. See the javadocs
http://tomcat.apache.org/tomcat-6.0-doc/api/index.html for more details.
My point here is that java is 'just another program' to linux, and all
the permissions rules apply to the user invoking an application. You say
that tomcat is now running as root (which is a BAD THING) which implies
that you are:
a. logging in as root and starting tomcat
OR
b. letting tomcat be started by a sys init process.
One decision you must make is whether or not tomcat should be allowed to
access privileged ports (eg port 80)
If so, then you should start tomcat using something like jsvc (see
http://commons.apache.org/daemon/index.html)
which when properly configured will allow you to start an app as root,
bind tomcat to port 80 and then switch to a 'tomcat' user. You can set
umask permissions as appropriate in the startup script.
If you intend to run tomcat with its default port of 8080 (or any
non-privileged port) things are a bit simpler. Create a user on your
system (maybe 'mytomcat') and then simply start the tomcat
./bin/startup.sh as this user by something like:
su mytomcat -c $JAVA_HOME/bin/startup.sh
from within the init script.
You can, of course, su to the user you are running the other java
program as, then tomcat and your app will have the same user privileges
- or you can create a tomcat group, make this the main group for your
tomcat user, add it as another group to your 'application' user and set
the appropriate umask (002) to allow group read/write (you must also set
the directory permissions accordingly - set the 's' bit)
Please note that these are only pointers not a rigorous set of
instructions. The reality is that if you want to do anything serious in
linux you must learn ins and outs of 'bash' and this list is not really
the place to do that.
HTH
Alan
Daniel J Hulme wrote:
Alan, this is very useful, thank you.
After a bit of Googling I decided to upgrade to Tomcat6 (apparently is has
less security ussies with Ubuntu). This means that the files/dirs are now
created (from the tomcat app) by 'root:root' (with the same permissions
described in my first post).
However, I still have the same problem. I'm running a java progam (not as
'root'), and need write access to these files. And I'm not allowed to run my
java app as 'root'.
I'm pretty new to linux, so your help (i.e. command examples) is much
appreciated.
Daniel
Alan Chaney wrote:
This is really a linux permissions issue.
How are you starting tomcat? with the $TOMCAT_HOME/bin/startup.sh or
with jsvc or are you using an ubuntu startup script?
You don't say anything about the user who will run the java application.
Generally, the way to control the access permissions with which files
are created in linux is to call 'umask' with the correct parameters. As
mentioned before on this list umask is a shell command, so you must do
it at the correct point or severely weaken the overall security of your
installation.
You need to do the following:
1. decide which user or users will be executing tomcat and the java
application.
2. If you decide that you need to have two separate users, then make
them both in the same group.
3. Use umask in the tomcat startup script and/or the shell in which you
run your application to set appropriate access permissions - GIYF
As an aside, if you are going to have two different processes writing
these shared files you may also have to consider locking issues - maybe
you have already done this.
Regards
Alan Chaney
Daniel J Hulme wrote:
Hi,
I'm running a WebService using Tomcat 5.5 on Ubuntu 7.10 with Axis2.
Files (and directories) are created by this service on a local directory:
/myfiles/
The permission of the new directories and files in this directory are:
Directories: 'drwxr-xr-x 2 tomcat55 nogroup 4096'
Files: '-rw-r--r-- 1 tomcat55 nogroup 10041'
The problem is, is I want to access (write) these files using, say, a
java
application, it give me:
java.io.FileNotFoundException: /myfiles/aDir/aFile.txt (Permission
denied)
How can I either:
1.Gain write access to these files (without having to constantly change
the
permissions in the command prompt, and without running my java
application
with 'root' access).
2.Create the files/dirs from tomcat with 'write access'
3.Other....
Thanking you in advance.
Daniel
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
