This week's book giveaway is in the OCMJEA forum. We're giving away four copies of OCM Java EE 6 Enterprise Architect Exam Guide and have Paul Allen & Joseph Bambara on-line! See this thread for details.
i have a unix aix server running 4 processes.
3 batch processes, and 1 weblogic
each has its own user profile to run each process.
all has its own .profile file, but without umask setting
the default umask in /etc/profile is 022
this would mean that all generated files (including log4j log files) should have permission of -|rw-|r--|r-- (644)
this holds true for 3 profiles running batch jobs.
but the logs generated by a web application in weblogic server with log4j is always at -|rw-|r--|--- (640)
i already tried logging in as the weblogic user, and touched a file, to test the umask setting
the new file was generated at 644, so the umask is correct.
my question is, why the log4j for the web-application running in weblogic is always 640?
is there any way to do this in log4j? meaning to set a custom file permission from inside log4j..
all the other files besides log4j log files are generated fine with permission at 644..
only log4j log files are generated with permission at 640
People have a nasty habit of putting far more information in the log files than they should have.
If you stuck with your default permissions, anyone who has access to the box will be able to read the log files, and read anything that any app put in it, no mater how confidential.
The permissions set by weblogic are far more logical - only the user who started weblogic can write to the log file (and hopefully the user running weblogic is the user named weblogic - a user specifically created for this task). However since some people may need to read the log file, then those specific individuals can be added to the weblogic group, and they can get to read the log files.
One reason that the WebLogic startup sets the umask is that Java historically has not been able to assign file security attributes (access rights, etc.). That's because Java is designe as "write once, run anywhere" and file access control is one of the least portable of all the popular OS services that Java has to deal with.
I believe it's Java 6 that finally relented and added some access control functionality. Or maybe Java 7. However, WebLogic carries its legacy from the older JVMs.
Customer surveys are for companies who didn't pay proper attention to begin with.