List, I'm trying to secure my tomcat instances. One of the steps I took was to run the tomcat process using the non-privileged "tomcat" user, and set the file system permissions as restrictive as possible. It all works well, but there is something missing: "The tomcat user is able to read the access log files":
root@7083cdc8e2fc:/apps/tomcat/logs# ls -la ... -rw-rw---- 1 tomcat tomcat 0 Dec 1 19:46 0.0.0.0_access_log.2015-12-01.txt Is there any way to configure tomcat to be able to write to the access log file, but have the file owned by root with permissions 600? I understand that this is done by starting the tomcat process as root and then dropping privileges using setuid() , but was unable to find something already built / well documented. Ideas? Regards, -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org