Chris,
On Wed, Dec 1, 2010 at 10:10 PM, Christopher Schultz
<ch...@christopherschultz.net> wrote:
>
> I agree with Mladen: MySQL doesn't actually need root privileges for
> anything at all, so this is a good description of your desires, but not
> a really great example.
>
Tomcat doesn't root-privileges either in our situation.
We#re not even running on a privileged port (yet).
However, where planning to kick out Apache soon and will be running
our sites on Tomcat only - that's why we're already using jsvc (call
it kond of a test).
Still, our security-guidelines demand that Tomcat can only be started
/ stopped by either a user with root privileges or by a user having
those privileges via the sudo-command.
On the other hand, the devekopers responsible for their application
have to be able to read the logs.
Besides, all logs are owned by tomcat:tomcat (as it should be) - the
only exception is catalina.out.
I guess you agree that this is not what somebody would call
"consistent" behaviour...
> What does "directory is already umasked" mean? AFAIK, you can't umask a
> directory. Do you mean you're using sticky bits?
Sorry, my fault: Our general umask is set to 0022 - still, jsvc give
root-owbership to catalina.out
> Is it possible that if catalina.out already exists and is owned by, say,
> "tomcat", that it's ownership will be retained when jsvc opens it for
> append? If that's the case, you may have simply deleted the file during
> your upgrade and had it re-created by jsvc (owned by root) after the fact.
You picked the right thing here: When catalina.out is owned by
tomcat:tomcat, jsvc opens that file for append and doesn't change the
ownership.
I wouldn't bet my bottom penny on the possibility that with the
chowned catalina.out manually to tomcat:tomcat, but I'm quite sure
that the ownership was not changed by us before.
Unfortunately, I don't have the time to do a check on that one right now.
>
> Can you tell us what version of jsvc you were using in the past, and
> what version you're using now?
>
Before, we've been using an acrhive called "jsvc.tar.gz", browsing the
CHANGES.txt gives
======= [ snip ]=========
JAKARTA COMMONS DAEMON (UNIX) CHANGELOG:
Last modified at [$Date: 2005-05-17 10:03:57 +0200 (Tue, 17 May 2005) $]
Changes with 1.0.1
======= [ snap ]=========
Now, we're using an archive called "commons-daemon-native.tar.gz".
Browsing the file "RELEASE_NOTES.txt" gives
======= [ snip ]=========
$Id: RELEASE-NOTES.txt 915160 2010-02-23 03:32:02Z billbarker $
Commons Daemon Package
Version 1.0.2
======= [ snap ]=========
Since my workaround seems to be doing what we're expecting, I suggest
we call this case closed.
Thanks for your support!
Cheers
Gregor
--
just because you're paranoid, don't mean they're not after you...
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available
@ http://pgpkeys.pca.dfn.de:11371
@ http://pgp.mit.edu:11371/
skype:rc46fi
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
