Re: New jsvc (commons-daemon-native); catalina.out is owned by root - WTF?
Chris, On Wed, Dec 1, 2010 at 10:10 PM, Christopher Schultz ch...@christopherschultz.net wrote: I agree with Mladen: MySQL doesn't actually need root privileges for anything at all, so this is a good description of your desires, but not a really great example. Tomcat doesn't root-privileges either in our situation. We#re not even running on a privileged port (yet). However, where planning to kick out Apache soon and will be running our sites on Tomcat only - that's why we're already using jsvc (call it kond of a test). Still, our security-guidelines demand that Tomcat can only be started / stopped by either a user with root privileges or by a user having those privileges via the sudo-command. On the other hand, the devekopers responsible for their application have to be able to read the logs. Besides, all logs are owned by tomcat:tomcat (as it should be) - the only exception is catalina.out. I guess you agree that this is not what somebody would call consistent behaviour... What does directory is already umasked mean? AFAIK, you can't umask a directory. Do you mean you're using sticky bits? Sorry, my fault: Our general umask is set to 0022 - still, jsvc give root-owbership to catalina.out Is it possible that if catalina.out already exists and is owned by, say, tomcat, that it's ownership will be retained when jsvc opens it for append? If that's the case, you may have simply deleted the file during your upgrade and had it re-created by jsvc (owned by root) after the fact. You picked the right thing here: When catalina.out is owned by tomcat:tomcat, jsvc opens that file for append and doesn't change the ownership. I wouldn't bet my bottom penny on the possibility that with the chowned catalina.out manually to tomcat:tomcat, but I'm quite sure that the ownership was not changed by us before. Unfortunately, I don't have the time to do a check on that one right now. Can you tell us what version of jsvc you were using in the past, and what version you're using now? Before, we've been using an acrhive called jsvc.tar.gz, browsing the CHANGES.txt gives === [ snip ]= JAKARTA COMMONS DAEMON (UNIX) CHANGELOG: Last modified at [$Date: 2005-05-17 10:03:57 +0200 (Tue, 17 May 2005) $] Changes with 1.0.1 === [ snap ]= Now, we're using an archive called commons-daemon-native.tar.gz. Browsing the file RELEASE_NOTES.txt gives === [ snip ]= $Id: RELEASE-NOTES.txt 915160 2010-02-23 03:32:02Z billbarker $ Commons Daemon Package Version 1.0.2 === [ snap ]= Since my workaround seems to be doing what we're expecting, I suggest we call this case closed. Thanks for your support! Cheers Gregor -- just because you're paranoid, don't mean they're not after you... gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2 gpgp-key available @ http://pgpkeys.pca.dfn.de:11371 @ http://pgp.mit.edu:11371/ skype:rc46fi - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: New jsvc (commons-daemon-native); catalina.out is owned by root - WTF?
On 12/02/2010 12:05 PM, Gregor Schneider wrote: Besides, all logs are owned by tomcat:tomcat (as it should be) - the only exception is catalina.out. I guess you agree that this is not what somebody would call consistent behaviour... The catalina.out is written by a parent process running under root user. If your developers need to see the stdout of the Tomcat on the production server then you have a serious problem. The first one that I find (well funny) is that they can access the box at the first place. Regards -- ^TM - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: New jsvc (commons-daemon-native); catalina.out is owned by root - WTF?
Mladen, On Thu, Dec 2, 2010 at 12:37 PM, Mladen Turk mt...@apache.org wrote: On 12/02/2010 12:05 PM, Gregor Schneider wrote: If your developers need to see the stdout of the Tomcat on the production server then you have a serious problem. The first one that I find (well funny) is that they can access the box at the first place. I disagree: Why should that be a problem? I feel that ppl have a problem if they mistrust their developers in so far that they have to lock their box even to their own developers maintaing the apps. And I'm not talking about full access but I'm talking about browsing the logs. Besides, when having a production-problem, one can react quickly if the developer responsible for the app can read the logs. OTOH, some ppl might have no problems with outages and can wait for the logs being mailed / ftp'ed / whatsoever by the usally always busy server-admins...*sic* Cheers Gregor -- just because you're paranoid, don't mean they're not after you... gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2 gpgp-key available @ http://pgpkeys.pca.dfn.de:11371 @ http://pgp.mit.edu:11371/ skype:rc46fi - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: New jsvc (commons-daemon-native); catalina.out is owned by root - WTF?
From: Gregor Schneider rc4...@googlemail.com I feel that ppl have a problem if they mistrust their developers in so far that they have to lock their box even to their own developers maintaing the apps. And I'm not talking about full access but I'm talking about browsing the logs. Besides, when having a production-problem, one can react quickly if the developer responsible for the app can read the logs. OTOH, some ppl might have no problems with outages and can wait for the logs being mailed / ftp'ed / whatsoever by the usally always busy server-admins...*sic* I'm living in such an environment. One of the reasons for this separation is fear of quick fixes: production machines are not for testing patches - which otherwise you can bet it would happen if anything beyond log reading would be granted. But we have log reading allowed and everybody is happy - both paranoids and genies. JC - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: New jsvc (commons-daemon-native); catalina.out is owned by root - WTF?
Konstantin, On Tue, Nov 30, 2010 at 9:42 PM, Konstantin Kolinko knst.koli...@gmail.com wrote: The above one is tomcat-native, aka Tomcat-Apr, a library that provides code for Http11AprProtocol and AjpAprProtocol connectors. This one is commons-daemon, which gives you jsvc. http://commons.apache.org/daemon/jsvc.html Thanks for pointing me to this - I got mixed up since both contain native within their archive-names. Thanks! Gregor -- just because you're paranoid, don't mean they're not after you... gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2 gpgp-key available @ http://pgpkeys.pca.dfn.de:11371 @ http://pgp.mit.edu:11371/ skype:rc46fi - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: New jsvc (commons-daemon-native); catalina.out is owned by root - WTF?
Christopher,
On Tue, Nov 30, 2010 at 10:33 PM, Christopher Schultz
ch...@christopherschultz.net wrote:
Apache httpd acts this way:
Sure, since Apache is usually started within root-context (sbin) -
so that does make sense.
When talking about servers, I'm not talking about a webserver but a
server such as Debian, RedHat etc.
And if you take a look into /var/logs, you can see exactly, that the
logs inside this directory partly don't belong to root as long as they
are not run within a root-context.
A good example ist mysql:
-rw-rw 1 mysql adm 344379 2009-09-30 12:13 mysql-full.log
And this is exactly the way it should be.
For the rest, I'm completely with you, and the solutions you pointed
out will work and already crossed my mind, except that the directory
is alreday umasked to 0022, still, catalina.out gives
-rw--- 1 root root7395 2010-12-01 11:51 catalina.out
Any hints on that?
But what's really puzzling me - and for which I don't have any
explanation - is, that with the old version of jsvc, catalina.out had
${TOMCAT_USER}-ownership (mind you: in the startup-script there's a
su ${TOMCAT-USER} before starting jsvc), and to me it seems that this
has changed with the new version.
Furthermore, I'd like to give you some insights of a Real
Life-external-managed-services-root-server-installation within a big
financial coperation:
Here - and in quite some other companies I do know - it's common
practice to host the servers externally, having managed services.
Usually, this implies that you don't have root-access, simply for
liability-reasons. However, only basic Tomcat-maintenance is done by
the external hoster, and when deploying new webapps, our developers
need to be able to read al logs.
Therefore, such a behaviour as seen by the latest jsvc is making
developer's life quite complicated.
Anyhow, I guess I'll go for a chown inside the startup-script for now.
Thanks
Gregor
--
just because you're paranoid, don't mean they're not after you...
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available
@ http://pgpkeys.pca.dfn.de:11371
@ http://pgp.mit.edu:11371/
skype:rc46fi
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: New jsvc (commons-daemon-native); catalina.out is owned by root - WTF?
Gregor, (by the way, hi!)
But what's really puzzling me - and for which I don't have any
explanation - is, that with the old version of jsvc, catalina.out had
${TOMCAT_USER}-ownership (mind you: in the startup-script there's a
su ${TOMCAT-USER} before starting jsvc), and to me it seems that this
has changed with the new version.
As far as I know, these startup scripts are created by the packagers of Debian, RedHat
etc.. when they wrap Tomcat in a platform-specific package.
/They/ are the ones who decide how they call up jsvc, where the logfiles go, under what
permissions etc..
There is no trace of jsvc in my (catalina_home)/bin/*.sh files.
And in general, these packaged Tomcats do not use these .sh scripts anyway, everything
happens in /etc/init.d/tomcat...
So maybe you should discuss this issue with the packagers for Debian, RedHat
etc..
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: New jsvc (commons-daemon-native); catalina.out is owned by root - WTF?
Hi André, long time no see ;) On Wed, Dec 1, 2010 at 12:20 PM, André Warnier a...@ice-sa.com wrote: As far as I know, these startup scripts are created by the packagers of Debian, RedHat etc.. when they wrap Tomcat in a platform-specific package. /They/ are the ones who decide how they call up jsvc, where the logfiles go, under what permissions etc.. That's actually not the case: The startaup-script for Tomcat native comes with the jscv-sources, meaning it's *not* some pre-packaged Debian-thing. However, I guess I know what's going on: The script is started from user Tomcat via sudo. One parameter for jsvc is the parameter user. When invoking jsvc with --help, is says: - [ cut] -user user user used to run the daemon (defaults to current user) - [ cut] Seems somehow to work, since a ps -aux | more | grep tomcat gives tomcat 29386 0.9 3.4 1651348 139244 ? Sl 16:31 0:25 jsvc.exec -user tomcat -home /home/tomcat/local/jdk15/ -Dcatalina.home=/home/tomcat/local/tomcat55/ -Dcatalina.base=/home/tomcat/local/tomcat55/ -Djava.io.tmpdir=/var/tmp -Dlog4j.configuration=log4j.xml -wait 10 -pidfile /var/run/jsvc.pid -outfile /home/tomcat/local/tomcat55//logs/catalina.out -errfile 1 -Xmx1024m -XX:PermSize=256m -XX:+DisableExplicitGC -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.util.logging.config.file=/home/tomcat/local/tomcat55//conf/logging.properties -Xdebug -Xrunjdwp:transport=dt_socket,address=8787,server=y,suspend=n -cp /home/tomcat/local/jdk15//lib/tools.jar:/home/tomcat/local/tomcat55//bin/commons-daemon.jar:/home/tomcat/local/tomcat55//bin/bootstrap.jar org So you can clearly see, that the process is started from user tomcat, although the startup-script is started in root-context (due to the sudo-command). jsvc is *not* forking a jvm, but wrapping it and starting it with it's own user-context, although it's supposed to change the user-context according to the help-text I've listed above. And I would be so picky if it had the same behaviour with version 5.5.20, but in 5.5.20 catalina.out had tomcat-ownership. So it seems, somebody changed something here, and I'm even too dumb to find anything in the changelogs, which I wouldn't like at all, either being a tomcat-user or a comitter... For the time being, I put this little fix into the startup-script, but still, I'm not too happy with this hack: # # workaround to prevent root-ownership for catalina.out # if [ ! -f $CATALINA_HOME/logs/catalina.out ]; then touch $CATALINA_HOME/logs/catalina.out chown $TOMCAT_USER $CATALINA_HOME/logs/catalina.out else OWNER=`ls -l $CATALINA_HOME/logs/catalina.out | grep $TOMCAT_USER` if [ -z $OWNER ]; then chown $TOMCAT_USER:$TOMCAT_USER $CATALINA_HOME/logs/catalina.out fi fi # # end workaround # Cheers! Gregor -- just because you're paranoid, don't mean they're not after you... gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2 gpgp-key available @ http://pgpkeys.pca.dfn.de:11371 @ http://pgp.mit.edu:11371/ skype:rc46fi - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: New jsvc (commons-daemon-native); catalina.out is owned by root - WTF?
Gregor Schneider wrote: Hi André, long time no see ;) On Wed, Dec 1, 2010 at 12:20 PM, André Warnier a...@ice-sa.com wrote: As far as I know, these startup scripts are created by the packagers of Debian, RedHat etc.. when they wrap Tomcat in a platform-specific package. /They/ are the ones who decide how they call up jsvc, where the logfiles go, under what permissions etc.. That's actually not the case: The startaup-script for Tomcat native comes with the jscv-sources, meaning it's *not* some pre-packaged Debian-thing. Ok, I did not know that, because (should I admit this here?) I /do/ use the pre-packaged things. And these pre-packaged things (sometimes) use another trick : rm -rf $CATALINA_BASE/logs/catalina.out mkfifo -m700 $CATALINA_BASE/logs/catalina.out su -p -s /bin/sh $TOMCAT5_USER \ -c $ROTATELOGS \$CATALINA_BASE/logs/catalina_%F.log\ 86400 \ $CATALINA_BASE/logs/catalina.out su -p -s /bin/sh $TOMCAT5_USER \ -c \$DAEMON\ start $STARTUP_OPTS \ $CATALINA_BASE/logs/catalina.out 21 So they start by making catalina.out a fifo (a named pipe ?), then arrange for rotatelogs (from Apache httpd) to read from it and rotate it, then they have Tomcat write to it. If you arrange for the last su to run jsvc instead of Tomcat directly, then it achieves the same purpose as your trick. A bit more complex, but it does have rotation by rotatelogs extra, with lots of options. (Other versions direct this to SYSLOG). - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: New jsvc (commons-daemon-native); catalina.out is owned by root - WTF?
On 12/01/2010 11:55 AM, Gregor Schneider wrote: Sure, since Apache is usually started within root-context (sbin) - so that does make sense. Right but it drops the user to apache if instructed to do so. Even then logs are root owned, and this is security precaution (like with jsvc) And if you take a look into /var/logs, you can see exactly, that the logs inside this directory partly don't belong to root as long as they are not run within a root-context. A good example ist mysql: This is not good example. mysql doesn't need to run on privileged port, and if your tomcat doesn't need to run on port 80, and you don't wish to secure your installation why using jsvc at the first place? Regards -- ^TM - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: New jsvc (commons-daemon-native); catalina.out is owned by root - WTF?
Can someone explain to me why logging as the tomcat user is a security risk? I don't like that behaviour but then again I don't understand it. Regards, Wesley Acheson On Wed, Dec 1, 2010 at 6:41 PM, Mladen Turk mt...@apache.org wrote: On 12/01/2010 11:55 AM, Gregor Schneider wrote: Sure, since Apache is usually started within root-context (sbin) - so that does make sense. Right but it drops the user to apache if instructed to do so. Even then logs are root owned, and this is security precaution (like with jsvc) And if you take a look into /var/logs, you can see exactly, that the logs inside this directory partly don't belong to root as long as they are not run within a root-context. A good example ist mysql: This is not good example. mysql doesn't need to run on privileged port, and if your tomcat doesn't need to run on port 80, and you don't wish to secure your installation why using jsvc at the first place? Regards -- ^TM - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: New jsvc (commons-daemon-native); catalina.out is owned by root - WTF?
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Gregor,
On 12/1/2010 5:55 AM, Gregor Schneider wrote:
And if you take a look into /var/logs, you can see exactly, that the
logs inside this directory partly don't belong to root as long as they
are not run within a root-context.
A good example ist mysql:
-rw-rw 1 mysql adm 344379 2009-09-30 12:13 mysql-full.log
I agree with Mladen: MySQL doesn't actually need root privileges for
anything at all, so this is a good description of your desires, but not
a really great example.
For the rest, I'm completely with you, and the solutions you pointed
out will work and already crossed my mind, except that the directory
is alreday umasked to 0022, still, catalina.out gives
-rw--- 1 root root7395 2010-12-01 11:51 catalina.out
What does directory is already umasked mean? AFAIK, you can't umask a
directory. Do you mean you're using sticky bits?
But what's really puzzling me - and for which I don't have any
explanation - is, that with the old version of jsvc, catalina.out had
${TOMCAT_USER}-ownership (mind you: in the startup-script there's a
su ${TOMCAT-USER} before starting jsvc), and to me it seems that this
has changed with the new version.
Is it possible that if catalina.out already exists and is owned by, say,
tomcat, that it's ownership will be retained when jsvc opens it for
append? If that's the case, you may have simply deleted the file during
your upgrade and had it re-created by jsvc (owned by root) after the fact.
Can you tell us what version of jsvc you were using in the past, and
what version you're using now?
I can't seem to find a readable changelog on the commons-daemon site. :(
On the other hand, it looks like jsvc hasn't had any changes in years.
Furthermore, I'd like to give you some insights of a Real
Life-external-managed-services-root-server-installation within a big
financial corperation:
Here - and in quite some other companies I do know - it's common
practice to host the servers externally, having managed services.
Usually, this implies that you don't have root-access, simply for
liability-reasons. However, only basic Tomcat-maintenance is done by
the external hoster, and when deploying new webapps, our developers
need to be able to read al logs.
Therefore, such a behaviour as seen by the latest jsvc is making
developer's life quite complicated.
Anyhow, I guess I'll go for a chown inside the startup-script for now.
What happens if you do something like this in your startup script:
touch $CATALINA_OUT
jsvc -outfile $CATALINA_OUT
That ought to create $CATALINA_OUT using the current user's
permissions. I'll have to look at the code to see what jsvc tries to do
if the file exists. Or, I could just run it myself :)
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkz2uakACgkQ9CaO5/Lv0PB5lwCeK3ukeoTfh0prHMOfSGB1QqFo
rXQAn1hbFI2e9TY39DfTEWKugm2nVWXj
=SC9Y
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
New jsvc (commons-daemon-native); catalina.out is owned by root - WTF?
Hi guys,
we had some issues due to a memory-leak here and used this opportunity
to upgrade our Tomcat from 5.5.20 to 5.5.31.
Here's our current environment:
tom...@www2:~/local/tomcat55/bin$ ./version.sh
Using CATALINA_BASE: /home/tomcat/local/tomcat55
Using CATALINA_HOME: /home/tomcat/local/tomcat55
Using CATALINA_TMPDIR: /home/tomcat/local/tomcat55/temp
Using JRE_HOME:/home/tomcat/local/jdk15/
Using CLASSPATH: /home/tomcat/local/tomcat55/bin/bootstrap.jar
Server version: Apache Tomcat/5.5.31
Server built: Sep 4 2010 12:53:08
Server number: 5.5.31.0
OS Name:Linux
OS Version: 2.6.18-3-amd64
Architecture: amd64
JVM Version:1.5.0_10-b03
JVM Vendor: Sun Microsystems Inc.
The interesting options inside our startup-script are
[ ...]
TOMCAT_USER=tomcat
[...]
echo Starting tomcat
$DAEMON_HOME/bin/jsvc \
-user $TOMCAT_USER \
-home $JAVA_HOME \
-Dcatalina.home=$CATALINA_HOME \
-Dcatalina.base=$CATALINA_BASE \
-Djava.io.tmpdir=$TMP_DIR \
-Dlog4j.configuration=log4j.xml \
-wait 10 \
-pidfile $PID_FILE \
-outfile $CATALINA_HOME/logs/catalina.out \
-errfile '1' \
$JAVA_OPTS \
$CATALINA_OPTS \
-cp $CLASSPATH \
org.apache.catalina.startup.Bootstrap
exit $?
;;
What's really puzzling me, is, that since we upgraded Tomcat,
catalina.out is not owned by the user specified in $TOMCAT_USER any
more but is owned by root.
All other files are owned by $TOMCAT_USER as expected.
What did we change?
Well, in the old version, there was the archive tomcat-native.tar.gz
containing the sources for the native wrapper.
Now, with Tomcat 5.5.31, there's a new archive
commons-daemon-native.tar.gz, which also contains the native wrapper
sources - however, the old one is also coming with the
5.5.31-distribution.
I couldn't find anything in the docs saying we've changed the
native-wrapper-implementation - use the new one or similar. So I
guessed that the old one might be depricated, so I used the sources
from commons-daemon-native.tar.gz.
Works like charm, the only catch is, as described above, that
catalina.out now is owned by root. Before, said file was owned by
$TOMCAT_USER
This is really a PITA, since we don't want to grant root-access to the
Tomcat-developers.
Could somebody in this list please explain, either what I'm missing
here, and also, what's the difference between the two
native-wrapper-versions?
When checking for the jsvc-parameters with ./jsvc -help, I
recognized that the parameter -user didn't change.
I'm aware that I could patch the startup-script by inserting something
like chown ${TOCMAT_USER} ${CATALINA_HOME}/logs/catalina.out,
however, to me this seems only like the 2nd best solution.
Any hints very much appreciated!
Cheers
Gregor
--
just because you're paranoid, don't mean they're not after you...
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available
@ http://pgpkeys.pca.dfn.de:11371
@ http://pgp.mit.edu:11371/
skype:rc46fi
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: New jsvc (commons-daemon-native); catalina.out is owned by root - WTF?
On 11/30/2010 07:31 PM, Gregor Schneider wrote: Hi guys, What's really puzzling me, is, that since we upgraded Tomcat, catalina.out is not owned by the user specified in $TOMCAT_USER any more but is owned by root. Believe it or not, this is intentional and correct behavior. Almost any server behaves like that. If we could fork jvm, I'd make sure all log files are root:root. Could somebody in this list please explain, either what I'm missing here, and also, what's the difference between the two native-wrapper-versions? Different naming. Regards -- ^TM - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: New jsvc (commons-daemon-native); catalina.out is owned by root - WTF?
2010/11/30 Gregor Schneider rc4...@googlemail.com: Well, in the old version, there was the archive tomcat-native.tar.gz containing the sources for the native wrapper. The above one is tomcat-native, aka Tomcat-Apr, a library that provides code for Http11AprProtocol and AjpAprProtocol connectors. http://tomcat.apache.org/native-doc/ http://tomcat.apache.org/tomcat-6.0-doc/config/http.html Now, with Tomcat 5.5.31, there's a new archive commons-daemon-native.tar.gz, which also contains the native wrapper sources - however, the old one is also coming with the 5.5.31-distribution. This one is commons-daemon, which gives you jsvc. http://commons.apache.org/daemon/jsvc.html Any hints very much appreciated! I do not really know what caused the issue that you are observing. You may look at the commons-daemon sources, changelog and ask/search on their mailing list (I do not see a changelog in their docs. Here is a JIRA link: https://issues.apache.org/jira/browse/DAEMON?report=com.atlassian.jira.plugin.system.project:changelog-panel Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: New jsvc (commons-daemon-native); catalina.out is owned by root - WTF?
Mladen, Believe it or not, this is intentional and correct behavior. Almost any server behaves like that. thanks for sharing your views on this one, which I, however, do not share at all besides, no server behaves like you're stating: if an application is started in a non-root-context and producing any output such as log-files, those files usually are owned by the user in whose context the application is running. besides, superuser root can watch / edit those files anyway. and what sense should any generated output make, if the app-owner is not able fo read those files, esp. when those files contain stuff such as logging-information? therefor, in my humble oppinion, i'd consider such a behaviour as a bug violating one of the essential patterns called delegation. so much for that, if you'd like to share any information, if this behaviour within the native wrapper has been changed intentionally and if so, why it has been changed, i'd really appreciate this. same goes for fhe possibility if i misconfigured anything. thanks best regards gregor
Re: New jsvc (commons-daemon-native); catalina.out is owned by root - WTF?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Gregor, On 11/30/2010 4:18 PM, Gregor Schneider wrote: Mladen, Believe it or not, this is intentional and correct behavior. Almost any server behaves like that. thanks for sharing your views on this one, which I, however, do not share at all besides, no server behaves like you're stating: Apache httpd acts this way: $ ls -l /usr/sbin/apache2 - -rwxr-xr-x 1 root root 365308 Apr 19 2010 /usr/sbin/apache2 $ grep ErrorLog /etc/apache2/apache2.conf # ErrorLog: The location of the error log file. # If you do not specify an ErrorLog directive within a VirtualHost ErrorLog /var/log/apache2/error.log $ sudo ls -l /var/log/apache2/error.log - -rw-r- 1 root adm 16813 Nov 30 15:33 /var/log/apache2/error.log Looks like root ownership to me. if an application is started in a non-root-context and producing any output such as log-files, those files usually are owned by the user in whose context the application is running. Try running 'stat jsvc' and tell us who the user context should be? besides, superuser root can watch / edit those files anyway. and what sense should any generated output make, if the app-owner is not able to read those files, esp. when those files contain stuff such as logging-information? therefor, in my humble opinion, i'd consider such a behaviour as a bug Patches are always welcome :) How about something like a new option for jsvc -outfilePriv unprivileged|privileged or something: that would indicate that the log file should be opened either before or after root privileges are dropped. Also, have you tried setting your umask before launching jsvc? You may get a lot of mileage out of umask 0022 jsvc ... Hope that helps, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkz1bZ4ACgkQ9CaO5/Lv0PD4EQCgnwQzsIrgHe1E/QOxouZ0kyY4 R3UAoKoVj9KoMY/joXvIfHpUJ1D/1R8X =ExC+ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
