jsvc - non root - log as root

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

jsvc - non root - log as root

Jürgen Weber
Hi,

when you run tomcat with jsvc and have jsvc drop privileges to a
different user, stdout and stderr log files are still created with
root as owner.
Can you make jsvc create them as the -user ?

weberjn@beo:~/apache-tomcat-9.0.36/logs$ ll
total 20
-rw------- 1 weberjn weberjn 4630 Jun 26 08:28 catalina.2020-06-26.log
-rw------- 1 root    root    4630 Jun 26 08:28 catalina.err
-rw------- 1 root    root      28 Jun 26 08:28 catalina.out
-rw------- 1 weberjn weberjn    0 Jun 26 08:28 host-manager.2020-06-26.log
-rw------- 1 weberjn weberjn    0 Jun 26 08:28 localhost.2020-06-26.log
-rw------- 1 weberjn weberjn    0 Jun 26 08:28
localhost_access_log.2020-06-26.txt
-rw------- 1 weberjn weberjn    0 Jun 26 08:28 manager.2020-06-26.log

jsvc \
    -classpath $CATALINA_HOME/bin/bootstrap.jar:$CATALINA_HOME/bin/tomcat-juli.jar
\
    -outfile $CATALINA_BASE/logs/catalina.out \
    -errfile $CATALINA_BASE/logs/catalina.err \
    -java-home /usr/lib/jvm/java-11-openjdk-amd64 \
    -user weberjn \
    -Dcatalina.home=$CATALINA_HOME \
    -Dcatalina.base=$CATALINA_BASE \
    -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager \
    -Djava.util.logging.config.file=$CATALINA_BASE/conf/logging.properties \
    org.apache.catalina.startup.Bootstrap

jsvc (Apache Commons Daemon) 1.2.3-dev

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: jsvc - non root - log as root

markt
On 26/06/2020 08:21, Jürgen Weber wrote:
> Hi,
>
> when you run tomcat with jsvc and have jsvc drop privileges to a
> different user, stdout and stderr log files are still created with
> root as owner.
> Can you make jsvc create them as the -user ?

I'm no C expert but my reading of
https://github.com/apache/commons-daemon/blob/master/src/native/unix/native/jsvc-unix.c#L1039
is no.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: jsvc - non root - log as root

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Mark and Jürgen,

On 6/26/20 06:23, Mark Thomas wrote:
> On 26/06/2020 08:21, Jürgen Weber wrote:
>> Hi,
>>
>> when you run tomcat with jsvc and have jsvc drop privileges to a
>> different user, stdout and stderr log files are still created
>> with root as owner. Can you make jsvc create them as the -user ?
>
> I'm no C expert but my reading of
> https://github.com/apache/commons-daemon/blob/master/src/native/unix/n
ative/jsvc-unix.c#L1039
>
>
is no.

To be fair, jsvc *could* (be made to) do this, but that is not what
the current code looks like. Since the euig of the process when the
files are created is root (or elevated in some way), the ownership and
permissions of the file should be able to be set at that time before
privileges are dropped.

If these lines were to be added after 1071 (for stdout):

  if(chown(outfile, uid, gid)) {
    perror("chown");
    exit(1);
  }

Than the file could be owned by the unprivileged user/group. The uid
and gid are not currently available in the set_output function.

Hmm. If doreopen is true, then when trying to reopen the log files
(after dropping privileges), I think we'll get ENOACCESS. I don't use
jsvc so I haven't played around with it at all. I might be completely
wrong :)

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl72U0oACgkQHPApP6U8
pFhyPg//TXOriocgBl0cQW9a7TV7lW9K4FF3D/IIhvxcaed4H/Ugb8UYtJ7uKfLh
6xqko+pSkirUlfTBErSJ/Rnc9Mk2m43gL0onPOKOP1tKFq5VZG+Bu5IcHRKbVBcA
+pE2R7owUM3m8dnqeyvnqbAE2GH8AkxVj+A2ye1V+3R7b9iQd9C814rvucFN2p+s
UaQdlSXMPs5xqTbNQO1tHp0Tz91zyarc/MfViqBuAHfYuYCBOZevSwvlaLJ5I30Q
ef7htZM8eEUknGTbndQj/Rt/63xYcclKWT7cqBtRcMVqTiZfF90Q7ApBET7SuqjQ
nupUW9TdtocE7dLOIX48MH1VcC3xtVOYQXrCfDezV2Sk/INxr6Mubb4W8jdejGNI
Anc48N3FbJ58zzdYHonM976dfG2vFlolmITntb3k1YG6YrtL/pL9XEyXuFZuPaAm
Os4sB+7nhTw0ckVL3ZASvLSFg4JQmMObOmXdxxLk3VlUS1ZJgmPxb6HEh8SEXxgd
UeRw6C0ptkQfFBTqHLCT3ZFJnJGeBYlhLd6/K40o6OjDCJsce2W72xpNsiseO27L
fE/KI80/Jy+rtZNcFqJjWeVxmGdSvJuCWDEqwzvHeirexK/GDyaNaG7tNeCL93Nj
S6uG3ML1XKJjb0aNPWtR45DXkr1HU52qlPW4XqczdSNHWvRRy44=
=iOl+
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: jsvc - non root - log as root

Michael Osipov
In reply to this post by Jürgen Weber
Am 2020-06-26 um 09:21 schrieb Jürgen Weber:
> Hi,
>
> when you run tomcat with jsvc and have jsvc drop privileges to a
> different user, stdout and stderr log files are still created with
> root as owner.
> Can you make jsvc create them as the -user ?

What is you actual problem with that?

I have talked about this to Mark two years ago. I think this is
logically not that easy. jsvc needs to start as root to bind priviledged
ports, it inits Tomcat, then downgrades and starts the rest of the
container. While it is in init state stdout/stderr need to be opened
already.

If you are have problem with log rotation. I use newsyslogd for that
which does send SIGUSR1 and works flawlessly. You may use similar tools.

M



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: jsvc - non root - log as root

Jürgen Weber
jsvc has a umask option, so the log files can be made readable for the user.
It is just a question of  estetics, root-owned files in user
directories are smelly.

Juergen

Am Sa., 27. Juni 2020 um 11:38 Uhr schrieb Michael Osipov <[hidden email]>:

>
> Am 2020-06-26 um 09:21 schrieb Jürgen Weber:
> > Hi,
> >
> > when you run tomcat with jsvc and have jsvc drop privileges to a
> > different user, stdout and stderr log files are still created with
> > root as owner.
> > Can you make jsvc create them as the -user ?
>
> What is you actual problem with that?
>
> I have talked about this to Mark two years ago. I think this is
> logically not that easy. jsvc needs to start as root to bind priviledged
> ports, it inits Tomcat, then downgrades and starts the rest of the
> container. While it is in init state stdout/stderr need to be opened
> already.
>
> If you are have problem with log rotation. I use newsyslogd for that
> which does send SIGUSR1 and works flawlessly. You may use similar tools.
>
> M
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]