Win a 3 month subscription to Marco Behler Videos this week in the Spring forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Application log file permissions with Tomcat 8.5 vs. 8.0  RSS feed

 
Andreas Roerig
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I upgraded the Tomcat for our web application from Tomcat 8.0 to Tomcat 8.5.
Tomcat runs as user tomcat under Ubuntu 14.04.
The web application writes logfiles using log4j.
With Tomcat 8.0 the file permissions for the logfiles were:



After the upgrade to 8.5 the file permissions are:



I have no clue why this happened and I would prefere the permissions as they were before the upgrade to allow read access to the logfiles for the developers.
The log4j configuration has not been changed.

Can anybody tell me what happened here and how I can change that?

Best regards
Andreas
 
Tim Holloway
Saloon Keeper
Posts: 18636
70
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Did you by any chance also  upgrade the OS or server  machine as  well?

According to all the sources I could find, the log4j files are given the permissions that are determined by the (tomcat) user's umask. So setting the Tomcat user umask should solve the problem.

However, logfilles often have  sensitive information in them, so rather than open them to the entire world (not to mention any other files that the Tomcat user  creates), you should first consider what users actually NEED to be able to read those file and whether simply adding them to the tomcat group  wouldn't be  sufficient.

Another alternative  would be to subclass the log4j file appender class that's writing those  logs and set  attributes yourself. That  would require using the newer file class that can manage access controls and not the original "write once/run anywhere" java.io.File class, though,  since you're talking OS-dependent properties.
 
Andreas Roerig
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Tim,

thanks for your answer.
There was no major OS upgrade beside the normal security updates.
As I did this on two machines the coincidence with the Tomcat upgrade seemed quite clear.
Adding the developer-account to the tomcat group might be a solution. I need to think about this.
I don't want to subclass the file appender.

Best regards
Andreas
 
Tim Holloway
Saloon Keeper
Posts: 18636
70
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Based on common Linux permission standard  umask defaults,  your  old  setup was the aberration.

Giving world  read permissions by  default is the kind of  security exposure more  commonly associated with  Windows than Unix /Linux .
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!