Re: Tomcat running with a shared unix group but unable to read files with group permissions

Thu, 06 Sep 2012 13:15:40 -0700 

Udam Dewaraja wrote:

Hi all,

I'm stumped on a seemingly java/tomcat related issue and am hoping someone
can provide some help.


We have two users ('user1' and 'user2') on our linux server that share the
same group ('group1'). User 'user1' writes some files that have the
following permissions:

-rw-r----- 1 user1 group1  788 Sep  5 19:42 file.log

The folder containing this file has the following permissions:

drwxr-xr--  2 user1 group1  4096 Sep  5 19:42 log


The tomcat web app is launched as user 'user2'. Below is the ps output for
the process. I've also verified that the java web app is running with gid
of the shared group 'group1'.


user2    31920 31919 99 21:30 ?        00:00:36 /usr/local/jre/bin/java
.... org.apache.catalina.startup.Bootstrap start

When the web app tries to read the file, *it gets the following exception*:

java.io.FileNotFoundException: /foo/bar/data/log/file.log (Permission
denied)
at java.io.RandomAccessFile.open(Native Method)
at java.io.RandomAccessFile.<init>(RandomAccessFile.java:233)
at java.io.RandomAccessFile.<init>(RandomAccessFile.java:118)
        …
at java.lang.Thread.run(Thread.java:679)


However, while logged in as 'user2', I can run a simple
cat /foo/bar/data/log/file.log and* I can read the contents of the file*.

Also, if I provide 'other' read permissions to the file (e.g. -rw-r--r--
1 user1 group1  788 Sep  5 19:42 file.log), *the web app is able to read
the file*.

If I write a sample java application that tries to read this file and
execute it while logged in as 'user2', again *Java is able to read the file.
*


Tomcat doesn't seem to be using any security policy as far as I can tell.
Any ideas why the group permissions seem to be ignored by tomcat?



Nothing to do with Tomcat I think.
Maybe it is because java.io.RandomAccessFile is a read/write kind of file, and the group just has read permission ? 
All your tests involve reading, not writing, and reading is allowed for the 
group.

Google for java.io.RandomAccessFile.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to