Tomcat9 File Permissions Change

Question

I have found that the file permissions have changed between Tomcat 8 and Tomcat 9 and I can't figure out how to get around it.

I had code like this where inputStream is something I feed this routine and redirectStream is a function that simply uses BufferedInput and BufferedOutput streams to read from one stream into another.

Path path = "/some/example/path/to/a/file"; Files.createDirectories(path.getParent()); redirectStream(inputStream, new FileOutputStream(path.toFile());

After executing this bit of code in Tomcat8 the directories and file would have permissions matching the umask of the user (0022). That is the directories would have drwxr-xr-x and the files would have -rw-r--r--. As these files that it is writing are then accessible to the internet the global read flag is necessary.

But under Tomcat9, the same code gives, drwxr-x--- and -rw-r----- respectively, and thus are not visible to the internet. I have tried two things. One I have explicitly set the umask to 0022 in my tomcat startup script just to make sure that is what it is to no effect. The second is to explicitly set the permissions in code to try and force the issue. This fixed the file permissions but NOT not the directory permissions and below is the updated code.

Set<PosixFilePermission> perms = new HashSet<PosixFilePermission>();
perms.add(PosixFilePermission.OWNER_READ);
perms.add(PosixFilePermission.OWNER_WRITE);
perms.add(PosixFilePermission.OWNER_EXECUTE);
perms.add(PosixFilePermission.GROUP_READ);
perms.add(PosixFilePermission.GROUP_WRITE);
perms.add(PosixFilePermission.GROUP_EXECUTE);
perms.add(PosixFilePermission.OTHERS_READ);
perms.add(PosixFilePermission.OTHERS_EXECUTE);
Files.createDirectories(path.getParent(), PosixFilePermissions.asFileAttribute(perms));

redirectStream(inputStream, new FileOutputStream(path.toFile()); 
perms = new HashSet<PosixFilePermission>();
perms.add(PosixFilePermission.OWNER_READ);
perms.add(PosixFilePermission.OWNER_WRITE);
perms.add(PosixFilePermission.GROUP_READ);
perms.add(PosixFilePermission.GROUP_WRITE);
perms.add(PosixFilePermission.OTHERS_READ);
Files.setPosixFilePermissions(fullPath, perms);

Which actually fixes the file permission of the file but NOT the file permissions of the directories. I have tested the code outside of Tomcat and therefore know that it works. But for some reason Tomcat9's environment somehow makes it that the directories still get the restricted permissions.

Any ideas here?

score 15 · Accepted Answer · edited Apr 11 '18 at 10:36

15

use

export UMASK=0022 in setenv.sh.

See https://tomcat.apache.org/tomcat-9.0-doc/changelog.html

edited Apr 11 '18 at 10:36

Vinay Prajapati

7,199
9
45
86

answered Apr 11 '18 at 09:24

gardanflyer

166
2
5

On the contrary @phisch, gardanflyer recreated here pretty much all that the documentation he points to says. AND it worked for me! Thank you! I'm not sure why setting the UMASK in my upstart config file didn't work but I'm now using systemd so not even going to explore that. setenv.sh needs to be added in your $CATALINA_HOME/bin directory (chmoded to be executable). This one line in there works. – crowmagnumb Apr 11 '18 at 18:10

score 1 · Answer 2 · answered Feb 17 '20 at 12:07

1

The umask value can be directly changed from 0027 to 0022 in catalina.sh file itself if you don't have setenv.sh file.

answered Feb 17 '20 at 12:07

Sabariya

11
1

`setenv.sh` is **never** present in out-of-the-box installation and you need to create it (in either `CATALINA_HOME/bin` or `CATALINA_BASE/bin`). Modifying `catalina.sh` is a bad idea, since no one will expect this file to be modified. – Piotr P. Karwasz Mar 25 '21 at 12:47

score 1 · Answer 3 · answered Mar 25 '21 at 10:17

1

On Debian based systems, you can add

UMASK=0022

to /etc/default/tomcat9. Then restart Tomcat for the change to take effect.

answered Mar 25 '21 at 10:17

Bob

5,510
9
48
80

Jimru · Answer 4 · 2021-03-29T13:32:43.897

0

I am using tomcat 9 in Ubuntu 20.

According to https://ci.apache.org/projects/tomcat/tomcat9/docs/security-howto.html

I created a setenv.sh file in /usr/share/tomcat9/bin/(which is known as $CATALINA_HOME),

then I added UMASK=0022 in setenv.sh

As the result, the permission of files created by tomcat is 644, which cound be read by other group users

edited Mar 29 '21 at 13:32

answered Mar 29 '21 at 10:45

Jimru

1
1

2

Hi @Jimru, welcome to Stack Overflow. The accepted answer already stated the UMASK change, however the other information you've listed would be useful in the accepted answer - please update it to include the securit howto and the result of the 022 being the 644 on files. – Mr R Mar 29 '21 at 10:56

Tomcat9 File Permissions Change

4 Answers4