Professional Web Applications Themes

Possible to force ALL files created in a specific directory to includeg+w ? - Linux / Unix Administration

In the process of removing root privileges from developers, I did the following: groupadd develprs usermod -g develprs john usermod -g develprs joe usermod -g develprs smith The developers will need to run a JVM: cd /opt chown -R nobody application/ chgrp -R develprs application/ The JVM application logs to a a specific directory ( and sub-directories ). cd /var/log/ chown -R nobody application/ chgrp -R develprs application/ Now when I su - as john: su - john cd /opt/application ./start .... the log files are created on /var/log/application. The files are owned by john but the group-ownership is by ...

  1. #1

    Default Possible to force ALL files created in a specific directory to includeg+w ?

    In the process of removing root privileges from developers, I did the
    following:

    groupadd develprs
    usermod -g develprs john
    usermod -g develprs joe
    usermod -g develprs smith

    The developers will need to run a JVM:

    cd /opt
    chown -R nobody application/
    chgrp -R develprs application/


    The JVM application logs to a a specific directory ( and sub-directories ).

    cd /var/log/
    chown -R nobody application/
    chgrp -R develprs application/


    Now when I su - as john:

    su - john
    cd /opt/application
    ./start


    .... the log files are created on /var/log/application.
    The files are owned by john but the group-ownership is by develprs
    As an example:

    -rw-r--r-- 1 john develprs 452119 Jan 6 11:17 generic.log


    The problem here is, if the application is stopped, and then user joe
    starts the application:

    ./stop
    exit
    su - joe
    cd /opt/application
    ./start

    .... because the log files are owned by john and not joe, and the
    group-ownership is read-only, the application won't start. The log files
    are actually created by Apache Log4J.

    So question is, is there a way to force files that are ___created__ in a
    specific directory to have g+w ??

    If not, the only alternative for me is to run the app as root and let
    them run the app via sudo.


    Thanks







    noone Guest

  2. #2

    Default Re: Possible to force ALL files created in a specific directory toinclude g+w ?

    noone wrote:
    >
    > So question is, is there a way to force files that are ___created__ in a
    > specific directory to have g+w ??
    >
    Never mind .. umask was the answer

    noone Guest

  3. #3

    Default Re: Possible to force ALL files created in a specific directory toinclude g+w ?

    in comp.unix.admin i read:
    >noone wrote:
    >> So question is, is there a way to force files that are ___created__
    >> in a specific directory to have g+w ??
    >>
    >
    >Never mind .. umask was the answer
    actually umask is passive and can be overridden. to force things you
    would need a system that supports some sort of access list facility,
    and that it support the notion of forcing modes.

    often umask is sufficient, and i certainly hope that will be for you.

    --
    a signature
    those who know me have no need of my name Guest

  4. #4

    Default Re: Possible to force ALL files created in a specific directory to include g+w ?

    noone <noonenoone.org> wrote:
    > ... because the log files are owned by john and not joe, and the
    > group-ownership is read-only, the application won't start. The log files
    > are actually created by Apache Log4J.
    > So question is, is there a way to force files that are ___created__ in a
    > specific directory to have g+w ??
    In general, no, but one thing you can do is ensure that the files
    are created first and given group-write permission before you start up the
    app that uses them. Then - assuming your app does not do stuff like remove
    and recreate its log files - you'll be OK. Any log-rotation program will
    have to take this into account, of course.

    Using sudo to run the app as a single standard user isn't bad
    either, although in my experience, you'll never get everybody to remember
    this all the time, and some idiot will start the app as root, and then the
    next guy who tries to start it correctly will wonder why stuff doesn't
    work, etc.

    JDW

    Jeremiah DeWitt Weiner Guest

Similar Threads

  1. Replies: 2
    Last Post: February 9th, 12:41 PM
  2. locking specific files
    By Rawley in forum Windows Server
    Replies: 1
    Last Post: June 29th, 12:22 PM
  3. How to force submit on a specific INPUT TYPE object
    By Marco Maroni in forum ASP.NET General
    Replies: 1
    Last Post: July 28th, 01:50 PM
  4. Force download to a specific directory
    By Simon Day in forum Macromedia Dreamweaver
    Replies: 3
    Last Post: July 26th, 08:51 AM
  5. Command line to start Elements in specific directory
    By JoshOJ in forum Adobe Photoshop Elements
    Replies: 0
    Last Post: July 10th, 01:33 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139