Tomcat umask

jorgeraimundo · October 7, 2009, 5:20pm

Hello all!

I have an application that runs on tomcat. In that application it’s the possible to upload some files. Those files are then stored on a Postgres database.

My problem is that the umask set for the users is 077, therefore, when the postgres user tries to read the uploaded file to insert it in the database it has no permissions to do it.

My question is: how can I define a 022 umask for tomcat while maintaining the 077 for all other users?

Best regards,
Jorge

hcvv · October 7, 2009, 5:50pm

I do not know much about Tomcat, but suppose it is running as a daemon and that daemon process should have the umask you want. As umask is a property of a running process inherited by its parent, you could place an *umask *statement in the script that starts the daemon (is that in /etc/init.d?).

jorgeraimundo · October 7, 2009, 7:02pm

Hello hcvv!

Thanks for your reply.

I did as you told and changed the rctromcat6 script (which is a link to /etc/init.d/tomcat as you well guessed).

A added two lines on the start function:

if  "$SECURITY_MANAGER" = "true" ]; then
        $SU - $TOMCAT_USER -c "$TOMCAT_SCRIPT start-security" \
            >> $TOMCAT_LOG 2>&1
    else
        $SU - $TOMCAT_USER -c "$TOMCAT_SCRIPT start" >> $TOMCAT_LOG 2>&1
        $SU - $TOMCAT_USER -c "umask 022" >> $TOMCAT_LOG 2>&1 **#(THIS ONE)**
    fi

and simply:

umask 022

at the end of the function.

Now I only have to see which of the lines was responsible for doing what I wanted.

Thanks.

hcvv · October 7, 2009, 8:04pm

I am afraid that it will not work.

$SU - $TOMCAT_USER -c "umask 022" >> $TOMCAT_LOG 2>&1

simply means that a shell (process) is started for user TOMCAT_USER and in that shell the umask is executed, which will add the umask to the environment of that process and hence be part of the environment of all the childs of that process from then on. Alas, that process is finished because there is nothing more to do and returns to the calling shell (the one where the above statement is in).
It will thus never have anything to do with what happens due to:

 $SU - $TOMCAT_USER -c "$TOMCAT_SCRIPT start" >> $TOMCAT_LOG 2>&1

which runs already earlier (in a different process) and is finished (or detached itself) before the umask is even run.

Remind what I said in the earlier post: umask is part of the environment of a process and is propagated to its OFFSPRING.
What I would try is:

   if  "$SECURITY_MANAGER" = "true" ]; then
        $SU - $TOMCAT_USER -c "$TOMCAT_SCRIPT start-security" \
            >> $TOMCAT_LOG 2>&1
    else
        umask | read OLDUMASK
        umask 022
        $SU - $TOMCAT_USER -c "$TOMCAT_SCRIPT start" >> $TOMCAT_LOG 2>&1
        umask $OLDUMASK
    fi

It would:
. save the umask as it is in the process this script is running in;
. set the umask of this process;
. call the TOMCAT_SCRIPT, which will be a child and thus inherit the umask;
. restore the umask.

jorgeraimundo · October 8, 2009, 4:40pm

Thank you for clarifying it for me.

What I did was:

function start() {
    # keep old umask
    OLDUMASK=`umask`
    umask 022
 
    ################
    #
    # function body
    #
    ################
 
    # return to previous umask
    umask $OLDUMASK
 
    rc_status -v
}

Seems to work

hcvv · October 8, 2009, 4:55pm

That looks allright to me. It seems that you got how it works!

I see that you use an alternative to my

umask | read OLDUMASK

That is OK (there are allways many ways to do things in Unix/Linux of which a considerable numer are good ways to do it). I would prefer

OLDUMASK=$(umask)

which does the same, but (IMHO) is better readable (specialy on long statements), no confusion with ’ quoting, can be nested like in

IP=$(host $(uname -n))

jorgeraimundo · October 8, 2009, 6:17pm

Yes, because I remember reading somewhere that the pipe also creates a sub-shell so the OLDUMASK variable might be blank.

That’s why I used the umask.

Didn’t know the alternative

OLDUMASK=$(umask)

Seems nice

hcvv · October 8, 2009, 6:35pm

In fact the ... construction can be seen as a compatibality with the old Bourne shell. Allready the Korn shell has it. But people keep on telling newbies that the ... is such a nice thing. It only proves IMHO that thay never studies realy ksh/bash .

The | read construction works very well. In your case the $(…) is sufficient and very clear. But look at this one:

host $(uname -n) | read HOSTNAME R R IPADDRESS

This will get the real info from the host statement in two variables, throwing away (in R) what is not needed. Very handy.

Or take the example of a file containing lines with each three : seperated values:

cat file | while IFS=':' read VALUE1 VALUE2 VALUE3
do      ....
        ...
done

But you can skip the cat and the pipe here with:

while IFS=':' read VALUE1 VALUE2 VALUE3
do      ....
        ...
done <file

But we are getting off topic lol!

claudebucher · February 1, 2014, 9:08pm

unable to find a way to create a new thread, thus using this one…
(and i have searched for umask & checked all 11 threads…)

i have a directory /dir which i would like to use as a “repository” for all users to share files
files they create, files they download, generate whatever
/dir should also serve as a permanent STRUCTURED storage area for the files - thus users should be able to create sub-directories with the same right as /dir has (770 - i created a group GRP1000 and made it the group for /dir )

WRONG ANSWER : set umask to 770

in other directories users should keep the 700 umask