Re: Tomcat running with a shared unix group but unable to read files with group permissions

Fri, 07 Sep 2012 03:27:02 -0700 

On Thu, Sep 06, 2012 at 10:50:30AM -0700, Udam Dewaraja wrote:
> Hi all,
> 
> I'm stumped on a seemingly java/tomcat related issue and am hoping someone
> can provide some help.
> 
> 
> We have two users ('user1' and 'user2') on our linux server that share the
> same group ('group1'). User 'user1' writes some files that have the
> following permissions:
> 
> -rw-r----- 1 user1 group1  788 Sep  5 19:42 file.log
> 
> The folder containing this file has the following permissions:
> 
> drwxr-xr--  2 user1 group1  4096 Sep  5 19:42 log
> 
> 
> The tomcat web app is launched as user 'user2'. Below is the ps output for
> the process. I've also verified that the java web app is running with gid
> of the shared group 'group1'.
> 
> 
> user2    31920 31919 99 21:30 ?        00:00:36 /usr/local/jre/bin/java
> .... org.apache.catalina.startup.Bootstrap start
> 
> When the web app tries to read the file, *it gets the following exception*:
> 
> java.io.FileNotFoundException: /foo/bar/data/log/file.log (Permission
> denied)
> at java.io.RandomAccessFile.open(Native Method)
> at java.io.RandomAccessFile.<init>(RandomAccessFile.java:233)
> at java.io.RandomAccessFile.<init>(RandomAccessFile.java:118)
>         …
> at java.lang.Thread.run(Thread.java:679)
> 
> 
> However, while logged in as 'user2', I can run a simple
> cat /foo/bar/data/log/file.log and* I can read the contents of the file*.
> 
> Also, if I provide 'other' read permissions to the file (e.g. -rw-r--r--
> 1 user1 group1  788 Sep  5 19:42 file.log), *the web app is able to read
> the file*.
> 
> If I write a sample java application that tries to read this file and
> execute it while logged in as 'user2', again *Java is able to read the file.
> *
> 
> 
> Tomcat doesn't seem to be using any security policy as far as I can tell.
> Any ideas why the group permissions seem to be ignored by tomcat?
> 

Please try to check ulimit (pam) settings in your OS.

-- 
Peter Benko

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to