Chris, On Wed, Dec 1, 2010 at 10:10 PM, Christopher Schultz <ch...@christopherschultz.net> wrote: > > I agree with Mladen: MySQL doesn't actually need root privileges for > anything at all, so this is a good description of your desires, but not > a really great example. >
Tomcat doesn't root-privileges either in our situation. We#re not even running on a privileged port (yet). However, where planning to kick out Apache soon and will be running our sites on Tomcat only - that's why we're already using jsvc (call it kond of a test). Still, our security-guidelines demand that Tomcat can only be started / stopped by either a user with root privileges or by a user having those privileges via the sudo-command. On the other hand, the devekopers responsible for their application have to be able to read the logs. Besides, all logs are owned by tomcat:tomcat (as it should be) - the only exception is catalina.out. I guess you agree that this is not what somebody would call "consistent" behaviour... > What does "directory is already umasked" mean? AFAIK, you can't umask a > directory. Do you mean you're using sticky bits? Sorry, my fault: Our general umask is set to 0022 - still, jsvc give root-owbership to catalina.out > Is it possible that if catalina.out already exists and is owned by, say, > "tomcat", that it's ownership will be retained when jsvc opens it for > append? If that's the case, you may have simply deleted the file during > your upgrade and had it re-created by jsvc (owned by root) after the fact. You picked the right thing here: When catalina.out is owned by tomcat:tomcat, jsvc opens that file for append and doesn't change the ownership. I wouldn't bet my bottom penny on the possibility that with the chowned catalina.out manually to tomcat:tomcat, but I'm quite sure that the ownership was not changed by us before. Unfortunately, I don't have the time to do a check on that one right now. > > Can you tell us what version of jsvc you were using in the past, and > what version you're using now? > Before, we've been using an acrhive called "jsvc.tar.gz", browsing the CHANGES.txt gives ======= [ snip ]========= JAKARTA COMMONS DAEMON (UNIX) CHANGELOG: Last modified at [$Date: 2005-05-17 10:03:57 +0200 (Tue, 17 May 2005) $] Changes with 1.0.1 ======= [ snap ]========= Now, we're using an archive called "commons-daemon-native.tar.gz". Browsing the file "RELEASE_NOTES.txt" gives ======= [ snip ]========= $Id: RELEASE-NOTES.txt 915160 2010-02-23 03:32:02Z billbarker $ Commons Daemon Package Version 1.0.2 ======= [ snap ]========= Since my workaround seems to be doing what we're expecting, I suggest we call this case closed. Thanks for your support! Cheers Gregor -- just because you're paranoid, don't mean they're not after you... gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2 gpgp-key available @ http://pgpkeys.pca.dfn.de:11371 @ http://pgp.mit.edu:11371/ skype:rc46fi --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org