Bug 693835 - /var/log/tomcat6/catalina.out owned by pkiuser
Summary: /var/log/tomcat6/catalina.out owned by pkiuser
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: pki-core
Version: 6.1
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Matthew Harmsen
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On: 693815
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-04-05 17:25 UTC by John Dennis
Modified: 2015-01-04 23:47 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 693815
Environment:
Last Closed: 2011-12-06 16:28:58 UTC
Target Upstream Version:


Attachments (Terms of Use)
patch to fix (3.03 KB, patch)
2011-08-05 18:43 UTC, Matthew Harmsen
awnuk: review+
Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1655 normal SHIPPED_LIVE pki-core bug fix and enhancement update 2011-12-06 00:50:24 UTC

Description John Dennis 2011-04-05 17:25:59 UTC
+++ This bug was initially created as a clone of Bug #693815 +++

/var/log/tomcat6/catalina.out user & group ownership gets set to pkiuser. This is not correct, we should not be setting anything outside our tomcat instance. This occurs because of these lines in /etc/init.d/tomcat6

TOMCAT_LOG="${TOMCAT_LOG:-/var/log/tomcat6/catalina.out}"

    [ "$RETVAL" -eq "0" ] && touch $TOMCAT_LOG 2>&1 || RETVAL="4" 
    if [ "$RETVAL" -eq "0" -a "$?" -eq "0" ]; then
      chown ${TOMCAT_USER}:${TOMCAT_USER} $TOMCAT_LOG
    fi

The fundamental problem is we do not set TOMCAT_LOG in /etc/sysconfig/<instance> which is a template file installed in /user/share/pki/{ca,kra,ocsp,tks}/conf/tomcat6.conf

--- Additional comment from jdennis@redhat.com on 2011-04-05 12:10:40 EDT ---

Created attachment 490027 [details]
set TOMCAT_LOG when tomcat6 initscript is executed

Comment 1 John Dennis 2011-04-05 17:32:50 UTC
Background: This problem was first observed when candlepin (https://home.corp.redhat.com/wiki/entitlement-home) was being tested. Canldepin also has a tomcat6 instance. It does not appear as of the moment that candlepin server will be in RHEL 6.1. However this bug has the potential to affect any other tomcat6 instance which might get installed and as such it would be prudent to have the fix be in RHEL 6.1 even if candlepin is not in RHEL 6.1

Comment 2 RHEL Product and Program Management 2011-04-05 17:43:14 UTC
Since RHEL 6.1 External Beta has begun, and this bug remains
unresolved, it has been rejected as it is not proposed as
exception or blocker.

Red Hat invites you to ask your support representative to
propose this request, if appropriate and relevant, in the
next release of Red Hat Enterprise Linux.

Comment 3 Jenny Severance 2011-05-27 14:06:57 UTC
What should be the ownership of the file?

Comment 4 John Dennis 2011-05-28 14:50:09 UTC
It should be owned by the tomcat user, e.g.

$ id tomcat
uid=91(tomcat) gid=91(tomcat) groups=91(tomcat)

It's probably also ok if it's owned by root.

Either one would be acceptable.

Just as a clarification, the $TOMCAT_USER in in the above shell snippet is NOT necessarily the same as the tomcat user uid (ie. the uid of the package owner) which is what prompted the bug in the first place. The $TOMCAT_USER in the shell snippet refers to the tomcat instance owner.

Comment 5 Matthew Harmsen 2011-08-05 18:43:58 UTC
Created attachment 516935 [details]
patch to fix

This attachment replicates the changes documented via attachment 790027 [details]
which has been applied and tested on the TIP.

Comment 6 Matthew Harmsen 2011-08-05 18:47:42 UTC
Comment on attachment 516935 [details]
patch to fix

This attachment replicates the changes documented via attachment 490027 [details]
which has been applied and tested on the TIP.

Comment 7 Matthew Harmsen 2011-08-05 19:01:43 UTC
IPA_v2_RHEL_6_ERRATA_BRANCH:

# cd pki

# svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^?
M       base/ca/shared/conf/tomcat6.conf
M       base/setup/pkicreate
M       base/tks/shared/conf/tomcat6.conf
M       base/ocsp/shared/conf/tomcat6.conf
M       base/kra/shared/conf/tomcat6.conf

# svn commit
Sending        base/ca/shared/conf/tomcat6.conf
Sending        base/kra/shared/conf/tomcat6.conf
Sending        base/ocsp/shared/conf/tomcat6.conf
Sending        base/setup/pkicreate
Sending        base/tks/shared/conf/tomcat6.conf
Transmitting file data .....
Committed revision 2114.

Comment 8 Matthew Harmsen 2011-08-05 19:19:01 UTC
IPA_v2_RHEL_6_ERRATA_BRANCH:

# cd pki

# svn update

# svn info | grep Revision
Revision: 2114

Extrapolating from Bugzilla Bug #691076:

    ./pki/scripts/pki_patch_maker 2113 2114 pki-core 9.0.3
        pki-core-9.0.3-r2114.patch

Comment 9 Matthew Harmsen 2011-08-05 20:15:44 UTC
Backout changes to KRA, OCSP, and TKS and reapply them back one at a time to make the creation of patches easier:

# cd pki/base

# svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^?
M       tks/shared/conf/tomcat6.conf
M       ocsp/shared/conf/tomcat6.conf
M       kra/shared/conf/tomcat6.conf

# svn commit
Sending        base/kra/shared/conf/tomcat6.conf
Sending        base/ocsp/shared/conf/tomcat6.conf
Sending        base/tks/shared/conf/tomcat6.conf
Transmitting file data ...
Committed revision 2116.

Comment 10 Matthew Harmsen 2011-08-05 23:23:20 UTC
Backout changes to CA and SETUP and reapply them back to make the creation of the patches easier:

Backout:

# cd pki/base

# svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^?
M       ca/shared/conf/tomcat6.conf
M       setup/pkicreate

# svn commit
Sending        base/ca/shared/conf/tomcat6.conf
Sending        base/setup/pkicreate
Transmitting file data ..
Committed revision 2117.


Reapply:

# cd pki/base

# svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^?
M       ca/shared/conf/tomcat6.conf
M       setup/pkicreate

# svn commit
Sending        base/ca/shared/conf/tomcat6.conf
Sending        base/setup/pkicreate
Transmitting file data ..
Committed revision 2118.

Comment 11 Matthew Harmsen 2011-08-06 00:35:26 UTC
Recreating the 'pki-core' patch:

IPA_v2_RHEL_6_ERRATA_BRANCH:

# cd pki

# svn update

# svn info | grep Revision
Revision: 2118

Extrapolating from Bugzilla Bug #691076:

    ./pki/scripts/pki_patch_maker 2113 2118 pki-core 9.0.3
        pki-core-9.0.3-r2118.patch

Comment 12 Matthew Harmsen 2011-08-06 00:38:18 UTC
IPA_v2_RHEL_6_ERRATA_BRANCH:

# cd pki

# svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^?
A       patches/pki-core-9.0.3-r2118.patch
M       specs/pki-core.spec

# svn commit
Adding         patches/pki-core-9.0.3-r2118.patch
Sending        specs/pki-core.spec
Transmitting file data ..
Committed revision 2119.

Comment 13 Matthew Harmsen 2011-08-06 00:47:52 UTC
Reapply changes back to KRA to make the creation of the patch easier:

# cd pki

# svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^?
M       base/kra/shared/conf/tomcat6.conf

# svn commit
Sending        base/kra/shared/conf/tomcat6.conf
Transmitting file data .
Committed revision 2120.

Comment 14 Matthew Harmsen 2011-08-06 01:19:46 UTC
Reapply changes back to OCSP to make the creation of the patch easier:

# cd pki

# svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^?
M       base/ocsp/shared/conf/tomcat6.conf

# svn commit
Sending        base/ocsp/shared/conf/tomcat6.conf
Transmitting file data .
Committed revision 2121.

Comment 15 Matthew Harmsen 2011-08-06 01:22:04 UTC
Reapply changes back to TKS to make the creation of the patch easier:

# cd pki

# svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^?
M       base/tks/shared/conf/tomcat6.conf

# svn commit
Sending        base/tks/shared/conf/tomcat6.conf
Transmitting file data .
Committed revision 2122.

Comment 16 Matthew Harmsen 2011-08-06 01:27:40 UTC
In regards to Comments 13, 14, and 15:

The './pki/scripts/pki_patch_maker' script correctly ONLY creates patches for the
following components:

Usage:  ./pki/scripts/pki_patch_maker <startrev> <endrev> <srpm> <basever>

        where:

            <startrev> is the starting SVN revision

            <endrev> is the ending SVN revision

            <srpm> is one of the following:

                 ipa-pki-theme
                 pki-core

            <basever> is the version of the specified <srpm>

IMPORTANT:  Successful use of this script relies upon separation
            of 'pki-core' and 'ipa-pki-theme' check-ins.  All
            patch files automatically produced by this script
            should be applied and tested thoroughly before
            being accepted as proper patches.


As a consequence of this behavior, NO patches will be created for the 'pki-kra', 'pki-ocsp', or 'pki-tks' components, AND when the next PATCH is created (e. g. - 'pki-core'), the following syntax will need to be utilized to successfully skip past the three previous check-ins:

    Extrapolating from Bugzilla Bug #691076:

        ./pki/scripts/pki_patch_maker 2122 <endref> pki-core 9.0.3

Comment 17 Matthew Harmsen 2011-08-06 01:37:07 UTC
Updated 'spec' files for pki-kra, pki-ocsp, and pki-tks even though these components will never exist for RHEL 6.2:

# cd pki

# svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^?
M    specs/pki-kra.spec
M    specs/pki-tks.spec
M    specs/pki-ocsp.spec

# svn commit
Sending        specs/pki-kra.spec
Sending        specs/pki-ocsp.spec
Sending        specs/pki-tks.spec
Transmitting file data ...
Committed revision 2123.

Comment 19 Kaleem 2011-11-04 18:44:53 UTC
Verified. 

Now /var/log/tomcat6/catalina is owned by tomcat.

[root@dhcp201-155 tomcat6]# ls -la  /var/log/tomcat6/catalina.out 
-rw-r--r--. 1 tomcat tomcat 0 Apr 29  2011 /var/log/tomcat6/catalina.out
[root@dhcp201-155 tomcat6]#

pki-ca version:
pki-ca-9.0.3-20.el6.noarch

Comment 20 errata-xmlrpc 2011-12-06 16:28:58 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1655.html


Note You need to log in before you can comment on or make changes to this bug.