Permissions of File Created by Tomcat

2008-04-20 Thread Daniel J Hulme

Hi,

I'm running a WebService using Tomcat 5.5 on Ubuntu 7.10 with Axis2.

Files (and directories) are created by this service on a local directory:

/myfiles/

The permission of the new directories and files in this directory are:

Directories:'drwxr-xr-x 2 tomcat55 nogroup  4096'
Files:  '-rw-r--r-- 1 tomcat55 nogroup 10041'

The problem is, is I want to access (write) these files using, say, a java
application, it give me:

 java.io.FileNotFoundException: /myfiles/aDir/aFile.txt (Permission denied)

How can I either:

1.Gain write access to these files (without having to constantly change the
permissions in the command prompt, and without running my java application
with 'root' access).

2.Create the files/dirs from tomcat with 'write access'

3.Other

Thanking you in advance.

Daniel
-- 
View this message in context: 
http://www.nabble.com/Permissions-of-File-Created-by-Tomcat-tp16792720p16792720.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Permissions of File Created by Tomcat

2008-04-20 Thread Alan Chaney

This is really a linux permissions issue.

How are you starting tomcat? with the $TOMCAT_HOME/bin/startup.sh or 
with jsvc or are you using an ubuntu startup script?


You don't say anything about the user who will run the java application.

Generally, the way to control the access permissions with which files 
are created in linux is to call 'umask' with the correct parameters. As 
mentioned before on this list umask is a shell command, so you must do 
it at the correct point or severely weaken the overall security of your 
installation.


You need to do the following:

1. decide which user or users will be executing tomcat and the java 
application.
2. If you decide that you need to have two separate users, then make 
them both in the same group.
3. Use umask in the tomcat startup script and/or the shell in which you 
run your application to set appropriate access permissions - GIYF


As an aside, if you are going to have two different processes writing 
these shared files you may also have to consider locking issues - maybe 
you have already done this.


Regards

Alan Chaney






Daniel J Hulme wrote:

Hi,

I'm running a WebService using Tomcat 5.5 on Ubuntu 7.10 with Axis2.

Files (and directories) are created by this service on a local directory:

/myfiles/

The permission of the new directories and files in this directory are:

Directories:'drwxr-xr-x 2 tomcat55 nogroup  4096'
Files:  '-rw-r--r-- 1 tomcat55 nogroup 10041'

The problem is, is I want to access (write) these files using, say, a java
application, it give me:

 java.io.FileNotFoundException: /myfiles/aDir/aFile.txt (Permission denied)

How can I either:

1.Gain write access to these files (without having to constantly change the
permissions in the command prompt, and without running my java application
with 'root' access).

2.Create the files/dirs from tomcat with 'write access'

3.Other

Thanking you in advance.

Daniel
  



-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Permissions of File Created by Tomcat

2008-04-20 Thread Daniel J Hulme

Alan, this is very useful, thank you.

After a bit of Googling I decided to upgrade to Tomcat6 (apparently is has
less security ussies with Ubuntu). This means that the files/dirs are now
created (from the tomcat app) by 'root:root' (with the same permissions
described in my first post).

However, I still have the same problem. I'm running a java progam (not as
'root'), and need write access to these files. And I'm not allowed to run my
java app as 'root'.

I'm pretty new to linux, so your help (i.e. command examples) is much
appreciated.

Daniel



Alan Chaney wrote:
 
 This is really a linux permissions issue.
 
 How are you starting tomcat? with the $TOMCAT_HOME/bin/startup.sh or 
 with jsvc or are you using an ubuntu startup script?
 
 You don't say anything about the user who will run the java application.
 
 Generally, the way to control the access permissions with which files 
 are created in linux is to call 'umask' with the correct parameters. As 
 mentioned before on this list umask is a shell command, so you must do 
 it at the correct point or severely weaken the overall security of your 
 installation.
 
 You need to do the following:
 
 1. decide which user or users will be executing tomcat and the java 
 application.
 2. If you decide that you need to have two separate users, then make 
 them both in the same group.
 3. Use umask in the tomcat startup script and/or the shell in which you 
 run your application to set appropriate access permissions - GIYF
 
 As an aside, if you are going to have two different processes writing 
 these shared files you may also have to consider locking issues - maybe 
 you have already done this.
 
 Regards
 
 Alan Chaney
 
 
 
 
 
 
 Daniel J Hulme wrote:
 Hi,

 I'm running a WebService using Tomcat 5.5 on Ubuntu 7.10 with Axis2.

 Files (and directories) are created by this service on a local directory:

 /myfiles/

 The permission of the new directories and files in this directory are:

 Directories: 'drwxr-xr-x 2 tomcat55 nogroup  4096'
 Files:   '-rw-r--r-- 1 tomcat55 nogroup 10041'

 The problem is, is I want to access (write) these files using, say, a
 java
 application, it give me:

  java.io.FileNotFoundException: /myfiles/aDir/aFile.txt (Permission
 denied)

 How can I either:

 1.Gain write access to these files (without having to constantly change
 the
 permissions in the command prompt, and without running my java
 application
 with 'root' access).

 2.Create the files/dirs from tomcat with 'write access'

 3.Other

 Thanking you in advance.

 Daniel
   
 
 
 -
 To start a new topic, e-mail: users@tomcat.apache.org
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 
 
 

-- 
View this message in context: 
http://www.nabble.com/Permissions-of-File-Created-by-Tomcat-tp16792720p16795633.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Permissions of File Created by Tomcat

2008-04-20 Thread Alan Chaney

Hi Daniel

Really the issues are to do with the JVM and linux rather more than 
tomcat directly. I can't claim to be a linux guru but you should look at 
it in the following way Any application which runs on linux is 'owned' 
by a user. There two classifications - 'system' users and 'normal' 
users. System users have UIDs which are less than 1024 and can invoke 
privileged services. 'root' is a system (privileged) user.


One issue which often seems to confuse people is that the JVM is a 
program not an operating system. When you 'run tomcat' you are actually 
invoking java on the tomcat bootstrap.jar. See the javadocs 
http://tomcat.apache.org/tomcat-6.0-doc/api/index.html for more details.


My point here is that java is 'just another program' to linux, and all 
the permissions rules apply to the user invoking an application. You say 
that tomcat is now running as root (which is a BAD THING) which implies 
that you are:


a. logging in as root and starting tomcat
OR
b. letting tomcat be started by a sys init process.

One decision you must make is whether or not tomcat should be allowed to 
access privileged ports (eg port 80)
If so, then you should start tomcat using something like jsvc (see 
http://commons.apache.org/daemon/index.html)
which when properly configured will allow you to start an app as root, 
bind tomcat to port 80 and then switch to a 'tomcat' user. You can set 
umask permissions as appropriate in the startup script.


If you intend to run tomcat with its default port of 8080 (or any 
non-privileged port) things are a bit simpler. Create a user on your 
system (maybe 'mytomcat') and then simply start the tomcat 
./bin/startup.sh as this user by something like:


su mytomcat -c $JAVA_HOME/bin/startup.sh

from within the init script.

You can, of course, su to the user you are running the other java 
program as, then tomcat and your app will have the same user privileges 
- or you can create a tomcat group, make this the main group for your 
tomcat user, add it as another group to your 'application' user and set 
the appropriate umask (002) to allow group read/write (you must also set 
the directory permissions accordingly - set the 's' bit)


Please note that these are only pointers not a rigorous set of 
instructions. The reality is that if you want to do anything serious in 
linux you must learn ins and outs of 'bash' and this list is not really 
the place to do that.


HTH

Alan


Daniel J Hulme wrote:

Alan, this is very useful, thank you.

After a bit of Googling I decided to upgrade to Tomcat6 (apparently is has
less security ussies with Ubuntu). This means that the files/dirs are now
created (from the tomcat app) by 'root:root' (with the same permissions
described in my first post).

However, I still have the same problem. I'm running a java progam (not as
'root'), and need write access to these files. And I'm not allowed to run my
java app as 'root'.

I'm pretty new to linux, so your help (i.e. command examples) is much
appreciated.

Daniel



Alan Chaney wrote:
  

This is really a linux permissions issue.

How are you starting tomcat? with the $TOMCAT_HOME/bin/startup.sh or 
with jsvc or are you using an ubuntu startup script?


You don't say anything about the user who will run the java application.

Generally, the way to control the access permissions with which files 
are created in linux is to call 'umask' with the correct parameters. As 
mentioned before on this list umask is a shell command, so you must do 
it at the correct point or severely weaken the overall security of your 
installation.


You need to do the following:

1. decide which user or users will be executing tomcat and the java 
application.
2. If you decide that you need to have two separate users, then make 
them both in the same group.
3. Use umask in the tomcat startup script and/or the shell in which you 
run your application to set appropriate access permissions - GIYF


As an aside, if you are going to have two different processes writing 
these shared files you may also have to consider locking issues - maybe 
you have already done this.


Regards

Alan Chaney






Daniel J Hulme wrote:


Hi,

I'm running a WebService using Tomcat 5.5 on Ubuntu 7.10 with Axis2.

Files (and directories) are created by this service on a local directory:

/myfiles/

The permission of the new directories and files in this directory are:

Directories:'drwxr-xr-x 2 tomcat55 nogroup  4096'
Files:  '-rw-r--r-- 1 tomcat55 nogroup 10041'

The problem is, is I want to access (write) these files using, say, a
java
application, it give me:

 java.io.FileNotFoundException: /myfiles/aDir/aFile.txt (Permission
denied)

How can I either:

1.Gain write access to these files (without having to constantly change
the
permissions in the command prompt, and without running my java
application
with 'root' access).

2.Create the files/dirs from tomcat with 'write access'

3.Other

Thanking you in 

Re: Permissions of File Created by Tomcat

2008-04-20 Thread Daniel J Hulme
)

 How can I either:

 1.Gain write access to these files (without having to constantly change
 the
 permissions in the command prompt, and without running my java
 application
 with 'root' access).

 2.Create the files/dirs from tomcat with 'write access'

 3.Other

 Thanking you in advance.

 Daniel
   
   
 -
 To start a new topic, e-mail: users@tomcat.apache.org
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]



 

   
 
 
 -
 To start a new topic, e-mail: users@tomcat.apache.org
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 
 
 

-- 
View this message in context: 
http://www.nabble.com/Permissions-of-File-Created-by-Tomcat-tp16792720p16800534.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]