SORTED! Thanks Alan. In the end I created a new user, and I'm running tomcat and my java app with this new user.
Thanks again, you've been a great help. Daniel Alan Chaney wrote: > > Hi Daniel > > Really the issues are to do with the JVM and linux rather more than > tomcat directly. I can't claim to be a linux guru but you should look at > it in the following way Any application which runs on linux is 'owned' > by a user. There two classifications - 'system' users and 'normal' > users. System users have UIDs which are less than 1024 and can invoke > privileged services. 'root' is a system (privileged) user. > > One issue which often seems to confuse people is that the JVM is a > program not an operating system. When you 'run tomcat' you are actually > invoking java on the tomcat bootstrap.jar. See the javadocs > http://tomcat.apache.org/tomcat-6.0-doc/api/index.html for more details. > > My point here is that java is 'just another program' to linux, and all > the permissions rules apply to the user invoking an application. You say > that tomcat is now running as root (which is a BAD THING) which implies > that you are: > > a. logging in as root and starting tomcat > OR > b. letting tomcat be started by a sys init process. > > One decision you must make is whether or not tomcat should be allowed to > access privileged ports (eg port 80) > If so, then you should start tomcat using something like jsvc (see > http://commons.apache.org/daemon/index.html) > which when properly configured will allow you to start an app as root, > bind tomcat to port 80 and then switch to a 'tomcat' user. You can set > umask permissions as appropriate in the startup script. > > If you intend to run tomcat with its default port of 8080 (or any > non-privileged port) things are a bit simpler. Create a user on your > system (maybe 'mytomcat') and then simply start the tomcat > ./bin/startup.sh as this user by something like: > > su mytomcat -c $JAVA_HOME/bin/startup.sh > > from within the init script. > > You can, of course, su to the user you are running the other java > program as, then tomcat and your app will have the same user privileges > - or you can create a tomcat group, make this the main group for your > tomcat user, add it as another group to your 'application' user and set > the appropriate umask (002) to allow group read/write (you must also set > the directory permissions accordingly - set the 's' bit) > > Please note that these are only pointers not a rigorous set of > instructions. The reality is that if you want to do anything serious in > linux you must learn ins and outs of 'bash' and this list is not really > the place to do that. > > HTH > > Alan > > > Daniel J Hulme wrote: >> Alan, this is very useful, thank you. >> >> After a bit of Googling I decided to upgrade to Tomcat6 (apparently is >> has >> less security ussies with Ubuntu). This means that the files/dirs are now >> created (from the tomcat app) by 'root:root' (with the same permissions >> described in my first post). >> >> However, I still have the same problem. I'm running a java progam (not as >> 'root'), and need write access to these files. And I'm not allowed to run >> my >> java app as 'root'. >> >> I'm pretty new to linux, so your help (i.e. command examples) is much >> appreciated. >> >> Daniel >> >> >> >> Alan Chaney wrote: >> >>> This is really a linux permissions issue. >>> >>> How are you starting tomcat? with the $TOMCAT_HOME/bin/startup.sh or >>> with jsvc or are you using an ubuntu startup script? >>> >>> You don't say anything about the user who will run the java application. >>> >>> Generally, the way to control the access permissions with which files >>> are created in linux is to call 'umask' with the correct parameters. As >>> mentioned before on this list umask is a shell command, so you must do >>> it at the correct point or severely weaken the overall security of your >>> installation. >>> >>> You need to do the following: >>> >>> 1. decide which user or users will be executing tomcat and the java >>> application. >>> 2. If you decide that you need to have two separate users, then make >>> them both in the same group. >>> 3. Use umask in the tomcat startup script and/or the shell in which you >>> run your application to set appropriate access permissions - GIYF >>> >>> As an aside, if you are going to have two different processes writing >>> these shared files you may also have to consider locking issues - maybe >>> you have already done this. >>> >>> Regards >>> >>> Alan Chaney >>> >>> >>> >>> >>> >>> >>> Daniel J Hulme wrote: >>> >>>> Hi, >>>> >>>> I'm running a WebService using Tomcat 5.5 on Ubuntu 7.10 with Axis2. >>>> >>>> Files (and directories) are created by this service on a local >>>> directory: >>>> >>>> /myfiles/ >>>> >>>> The permission of the new directories and files in this directory are: >>>> >>>> Directories: 'drwxr-xr-x 2 tomcat55 nogroup 4096' >>>> Files: '-rw-r--r-- 1 tomcat55 nogroup 10041' >>>> >>>> The problem is, is I want to access (write) these files using, say, a >>>> java >>>> application, it give me: >>>> >>>> java.io.FileNotFoundException: /myfiles/aDir/aFile.txt (Permission >>>> denied) >>>> >>>> How can I either: >>>> >>>> 1.Gain write access to these files (without having to constantly change >>>> the >>>> permissions in the command prompt, and without running my java >>>> application >>>> with 'root' access). >>>> >>>> 2.Create the files/dirs from tomcat with 'write access' >>>> >>>> 3.Other.... >>>> >>>> Thanking you in advance. >>>> >>>> Daniel >>>> >>>> >>> --------------------------------------------------------------------- >>> To start a new topic, e-mail: users@tomcat.apache.org >>> To unsubscribe, e-mail: [EMAIL PROTECTED] >>> For additional commands, e-mail: [EMAIL PROTECTED] >>> >>> >>> >>> >> >> > > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > -- View this message in context: http://www.nabble.com/Permissions-of-File-Created-by-Tomcat-tp16792720p16800534.html Sent from the Tomcat - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
