Win a copy of Five Lines of Code this week in the OO, Patterns, UML and Refactoring forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Bear Bibeault
  • Ron McLeod
  • Jeanne Boyarsky
  • Paul Clapham
Sheriffs:
  • Tim Cooke
  • Liutauras Vilda
  • Junilu Lacar
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • fred rosenberger
  • salvin francis
Bartenders:
  • Piet Souris
  • Frits Walraven
  • Carey Brown

Permission issue - how to allow permissions to a java app deployed on tomcat

 
Jack Tauson
Ranch Hand
Posts: 207
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Running into permission issues - need advise.

I have an application which is listening to ActiveMQ and it generates a zip file and upload it on the server.


On Server 1:

Everything works fine and files are generating properly without any issues. When I checked the file permission access location, the owner is  "root"

On Server 2:

I keep getting





This server is know for file permission issues.

It is understanble that if a user is having issues related to permission, admin of the server can give privilidges to the user to create/delete directories.

However, how does it works in case of an application which is running on tomcat? I mean my application which is listening to ActiveMQ is deployed as WAR on tomcat. How should I ask the admin of the server to provide access to my particular application so that i can create files on the server?


 
Paul Clapham
Marshal
Posts: 25669
69
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It doesn't work like that. Permissions are always given to users, not to applications. In the case of Tomcat you need to work with the user under which Tomcat is running.
 
Stephan van Hulst
Saloon Keeper
Posts: 12129
258
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Jack Tauson wrote:This server is know for file permission issues.


Sounds like that server's admin actually took the time to set up different permissions in the first place. In general it's a good idea to do this on development machines too, so handling file access issues doesn't become an afterthought.

Services run under a pre-configured user account. The admin of that server likely knows which user account Tomcat runs under, or can easily find it out.

Ask the server's admin to give the user or group that Tomcat is running under read, write and search permissions on the '/mnt/nfs/Data/dev/downloader/file_downloader/TAN' directory.
 
Mikalai Zaikin
Rancher
Posts: 3645
38
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In Unix / Linux permissions can be granted to (1) user (2) group of users (3) everyone

So, this is more task for your admin how he wants to handle it.

First the admin should get user ID under which JVM (Tomcat) works and which will write the file to filesystem, e.g. (note "tomcat" is the text string which may appear in the PID path name)



Then user has options:

1) change ownership of directory /mnt/nfs/Data/dev/downloader/file_downloader/TAN/ to JVM's user ID and give write permission to user



2) add JVM user to group which owns the directory and give write permission to group



3) give everyone (any user ID on the system) write permission



DISCLAIMER: I did not test any of the commands above, they are pseudo commands, may contain (and surely contain) syntax errors.
 
Stephan van Hulst
Saloon Keeper
Posts: 12129
258
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Mikalai Zaikin wrote:In Unix / Linux permissions can be granted to (1) user (2) group of users (3) everyone


A tiny but important correction: A file or folder has an owning user and an owning group. Read/write/execute permissions can be granted to: 1) The owning user, 2) the owning group, but not the owning user, 3) everyone who is not the owner or in the owning group.

This means that if you give read permissions only to the third category of users, everyone will be able to read the file, EXCEPT the owner and users in the owning group.
 
Mikalai Zaikin
Rancher
Posts: 3645
38
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Stephan van Hulst wrote:A tiny but important correction


Thanks for the update!
 
Campbell Ritchie
Marshal
Posts: 69752
277
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Never realised that.

pluma notMyFile
. . .$ chmod 066 notMyFile
. . .$ pluma notMyFile # pluma failed to open file
. . .$ chmod 666 notMyFile
. . .$ pluma notMyFile # opened first try
. . .$ rm notMyFile

Presumably chmod and rm worked because I had ownership of the directory.
 
Jack Tauson
Ranch Hand
Posts: 207
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Mikalai Zaikin wrote:In Unix / Linux permissions can be granted to (1) user (2) group of users (3) everyone

So, this is more task for your admin how he wants to handle it. . . ..



Thanks very much. One more question.


In the above scenario, I have shown one user directory where file needs to reside, i.e. TAN.

However, if there is a new user using my application with a different user name, my application is supposed to create a directory for them, for example, if there is a user JACK, the files are going to reside in the following directory:

/mnt/nfs/Data/dev/downloader/file_downloader/JACK/

Similarly, there can be many users that I don't know in advance.

So the approach you mentioned is applicable for my aforementioned scenarion?
 
Mikalai Zaikin
Rancher
Posts: 3645
38
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Your Linux admin should make a decision how implement it better.

One approach -- add all users to some group in operating system and grant file_downloader folder write group permission.

 
Jack Tauson
Ranch Hand
Posts: 207
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Stephan van Hulst wrote:

Mikalai Zaikin wrote:In Unix / Linux permissions can be granted to (1) user (2) group of users (3) everyone


A tiny but important correction: A file or folder has an owning user and an owning group. Read/write/execute permissions can be granted to: 1) The owning user, 2) the owning group, but not the owning user, 3) everyone who is not the owner or in the owning group.

This means that if you give read permissions only to the third category of users, everyone will be able to read the file, EXCEPT the owner and users in the owning group.



Thanks Stephan. In the following line, you mentioned the following:

Read/write/execute permissions can be granted to: 1) The owning user, 2) the owning group, but not the owning user, 3) everyone who is not the owner or in the owning group.

If I understood correctly,  in your first point, Read/write/execute permissions can be granted to the owning user. However, in your second point you mentioned :

Read/write/execute permissions can be granted to the owning group, but not the owning user. So aren't 1st and second point contradicting?
 
Mikalai Zaikin
Rancher
Posts: 3645
38
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Jack, it looks the discussion moves away from Java and maybe Linux forum is a better candidate.

Permissions in Linux is combination of "owner" and "group" and "others" flags (bits), e.g. "owner" and "group" may have write permission at the same time, one does not exclude another.

I higher recommend you to read some basic article on Linux filesystem permission, and it will become much more clear.
 
Campbell Ritchie
Marshal
Posts: 69752
277
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Jack Tauson wrote:. . . aren't 1st and second point contradicting?

No. Stephan means that permissioons are given to the owner, the remainder of the group, or everybody else, but separately.For example, with permissions like 761 the owner has rwx permission, the remainder of the group rw- permissions and everybody else has --x permission. The remainder of the group don't have x permission.
 
Tim Holloway
Saloon Keeper
Posts: 22248
151
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Something very important to note:

Java is write-once/run-anywhere and that means that unlike native OS applications, a Java application (such as Tomcat) cannot assume multiple user identities. Whatever userid/group - or Windows equivalent - that Tomcat was launched under will be the userid/group that all the web applications run under.

Tomcat should not be run as root/administrative userid. That punches a major security hole in the operating system. Tomcat cannot do like the Apache server and start as root, grab root-privileged resources (such as ports 80 and 443) and then downshift to a less dangerous userid. It will run start-to-finish under the user ID it was launched under. Repeated for emphasis.

So any webapp that wishes to read/write files or do other OS-restricted things must ensure that the files, directories, and so forth can be accessed by Tomcat itself.
 
Jack Tauson
Ranch Hand
Posts: 207
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Tim Holloway wrote:Something very important to note:

Java is write-once/run-anywhere and that means that unlike native OS applications, a Java application (such as Tomcat) cannot assume multiple user identities. Whatever userid/group - or Windows equivalent - that Tomcat was launched under will be the userid/group that all the web applications run under.

Tomcat should not be run as root/administrative userid. That punches a major security hole in the operating system. Tomcat cannot do like the Apache server and start as root, grab root-privileged resources (such as ports 80 and 443) and then downshift to a less dangerous userid. It will run start-to-finish under the user ID it was launched under. Repeated for emphasis.

So any webapp that wishes to read/write files or do other OS-restricted things must ensure that the files, directories, and so forth can be accessed by Tomcat itself.



Thanks for the info.

So any webapp that wishes to read/write files or do other OS-restricted things must ensure that the files, directories, and so forth can be accessed by Tomcat itself



This is possible only after admin of RHEL server does what(the steps) Mikalai Zaikin has mentioned in his post above, right?
 
Jack Tauson
Ranch Hand
Posts: 207
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Mikalai Zaikin wrote:Jack, it looks the discussion moves away from Java and maybe Linux forum is a better candidate.

Permissions in Linux is combination of "owner" and "group" and "others" flags (bits), e.g. "owner" and "group" may have write permission at the same time, one does not exclude another.

I higher recommend you to read some basic article on Linux filesystem permission, and it will become much more clear.



Sure, Is there a way the admin of this group can move it to appropriate forum?
 
Tim Holloway
Saloon Keeper
Posts: 22248
151
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
And, it's off to the Linux forum we go!

There are several ways to install Tomcat on Linux/Red Hat/Any OS, actually. But the common convention would be that there would be a user named "tomcat" in a group named "tomcat".

Now the real fun begins. Yes, it's true that you have to have compatible user/group IDs, but there's also this thing called "selinux". And selinux can get particularly nasty when you're working with files shared on a LAN via NFS, SMB/CIFS or even clustered systems like glusterfs. Add another layer of pain if you run Tomcat in a container (which I highly recommend). A lot of people simply give up and turn selinux off at that point.

A note on LAN shares. "/mnt" is traditionally reserved as the mountpoint for temporary physical volume mounts. Stuff like CDs, DVDs, thumb drives, external hard drives, and so forth. There's no Ultimate Rule, but to avoid conflicts, /mnt should be the root of a single volume temporarily mounted, not the parent directory of multiple permanent volume mounts.

In the case of network shares, though, the common netshare mountpoint for nfs would be a directory under /export.  I don't recall seeing an actual standard for cifs, but /export works there as well.

Actually, removable hard media are often mounted under something like /run/media nowadays by the hotswap subsystem, but that doesn't matter here.

 
Jack Tauson
Ranch Hand
Posts: 207
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Tim Holloway wrote:And, it's off to the Linux forum we go!


Thanks !

There are several ways to install Tomcat on Linux/Red Hat/Any OS, actually. But the common convention would be that there would be a user named "tomcat" in a group named "tomcat".


Yes, my server team has created a tomcat user. So whenever I need to start or stop tomcat, I switch to tomcat user and do that.

Yes, it's true that you have to have compatible user/group IDs, but there's also this thing called "selinux". And selinux can get particularly nasty when you're working with files shared on a LAN via NFS, SMB/CIFS or even clustered systems like glusterfs. Add another layer of pain if you run Tomcat in a container (which I highly recommend). A lot of people simply give up and turn selinux off at that point.



Not sure if I am following you correctly here. Is this related to the question I asked?


 
Tim Holloway
Saloon Keeper
Posts: 22248
151
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
For a production Tomcat server, you'll probably eventually want to set up a systemd profile that controls startup and shutdown.

Selinux is a secondary security system designed to allow additional granularity to resource access control - not only files and directories, but network ports and other things as well. Even if you "own" a file, if you don't have proper selinux rights, you can be denied the ability to read or write it if the selinux rules aren't willing. And there are some very specific rules that guard files found on other computers via networking.

The tradiional way to determine whether you were falling afoul of systemd protections was to look in /var/log/audit/audit.log. Some very recent systems have managed to finally cram the audit log into the systemd journal if you cannot find the file.
 
Stephan van Hulst
Saloon Keeper
Posts: 12129
258
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Campbell Ritchie wrote:Presumably chmod and rm worked because I had ownership of the directory.


For chmod, yes. For rm, the only thing that's relevant is whether you have write and execute permissions on the parent directory and the sticky bit hasn't been set. Say you're not the owner or in a group that owns a file or the folder that it is in, and you have no permissions to do anything with the file. You can still delete the file if the permissions on the parent directory are d-------wx.

Think of it this way: Deleting a file is not an operation on the file itself. Instead, you're rewriting the parent directory's index.
 
Stephan van Hulst
Saloon Keeper
Posts: 12129
258
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Mikalai Zaikin wrote:One approach -- add all users to some group in operating system and grant file_downloader folder write group permission.


This won't do anything for Jack, because web applications running in Tomcat use one user account and one user account only: The one that Tomcat is running under.

Assuming that Tomcat is running as 'tomcat' and is in the group 'tomcat', I would set the permissions of file_downloader to 'drwxrws---' and make 'tomcat' the owner and owning group. The SGID flag (the 's' in the group execute permission) will ensure that files and folders created inside that folder will automatically be owned by Tomcat as well.
 
Stephan van Hulst
Saloon Keeper
Posts: 12129
258
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Jack Tauson wrote:This is possible only after admin of RHEL server does what(the steps) Mikalai Zaikin has mentioned in his post above, right?


Try:

Be careful, this will replace all existing permissions and owners on all files and directories in file_downloader.
 
Tim Holloway
Saloon Keeper
Posts: 22248
151
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
But again, selinux takes priority over the traditional Linux user/group permissions.

And on RHEL and its relatives selinux is enabled by default.

Even if you are the root user and you own the file, selinux can deny it to you. In fact, a big incentive for selinux was to keep root from running unconstrained over the OS assets. So check the audit logs when in doubt.

There are very specific selinux rules governing files/directories shared by nfs and also a couple of rules defined for Tomcat itself in addition to the general selinux protections.
 
Jack Tauson
Ranch Hand
Posts: 207
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Jack Tauson wrote:Running into permission issues - need advise.

I have an application which is listening to ActiveMQ and it generates a zip file and upload it on the server.


On Server 1:

Everything works fine and files are generating properly without any issues. When I checked the file permission access location, the owner is  "root"

On Server 2:

I keep getting





This server is know for file permission issues.

It is understanble that if a user is having issues related to permission, admin of the server can give privilidges to the user to create/delete directories.

However, how does it works in case of an application which is running on tomcat? I mean my application which is listening to ActiveMQ is deployed as WAR on tomcat. How should I ask the admin of the server to provide access to my particular application so that i can create files on the server?




I resolved the issue finally.In the following path, there was 777 permission until Data folder. So I had to change the permission recursively to 777 starting from dev folder and it worked.

/mnt/nfs/Data/dev/downloader/file_downloader/TAN/Requested_files_A759176A8566.zip
 
We find this kind of rampant individuality very disturbing. But not this tiny ad:
Building a Better World in your Backyard by Paul Wheaton and Shawn Klassen-Koop
https://coderanch.com/wiki/718759/books/Building-World-Backyard-Paul-Wheaton
    Bookmark Topic Watch Topic
  • New Topic