log4j RollingFileAppender 创建的日志文件的权限
RollingFileAppender
创建的文件的权限是如何确定的?
我最近更改了一个守护进程,我必须以非 root 用户身份运行,并且现在正在使用 0600
权限创建文件(仅所有者可读),但我希望它们是管理员组(0644
或 0640
)的所有或至少成员可读。我的 tomcat 应用程序创建的文件始终是 0644
(所有人都可读)。
我不知道是否我无意中更改了其他内容,或者是否与该用户的权限有关。我将父目录 0777
作为测试,但它似乎没有帮助(它是 0755
)。显然这没什么大不了的,因为我可以 sudo 来查看它们,但相当烦人,如果我必须让客户为我复制它们,这将是一个问题。
环境是 Ubuntu 10.04LTS,使用 jsvc/commons-daemon 来运行守护进程。如果重要的话,这里是我的 log4j
配置的基础知识:
<!DOCTYPE log4j:configuration SYSTEM 'log4j.dtd'>
<log4j:configuration xmlns:log4j="http://jakarta.apache.org/log4j/" debug="true">
<appender name="StdOutAppender" class="org.apache.log4j.ConsoleAppender">
<!-- only send error / fatal messages to console (catalina.out) -->
<param name="threshold" value="${log4j.StdOutAppender.threshold}" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%5p %d{ISO8601} [%t][%x] %c - %m%n" />
<!--%d{dd-MMM-yyyy HH:mm:ss.SSS} [%5p] %c{2}.%M [line:%L]: %m%n-->
</layout>
</appender>
<appender name="TimeBasedRollingFileAppender" class="org.apache.log4j.rolling.RollingFileAppender">
<param name="append" value="true" />
<param name="encoding" value="UTF-8" />
<param name="threshold" value="${log4j.TimeBasedRollingFileAppender.threshold}" />
<rollingPolicy class="org.apache.log4j.rolling.TimeBasedRollingPolicy">
<param name="FileNamePattern" value="${cloud.daemon.log4j.file.config.path}.%d.gz" />
</rollingPolicy>
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%5p %d{ISO8601} [%t][%x] %c - %m%n" />
<!--%d{dd-MMM-yyyy HH:mm:ss.SSS} [%5p] %c{2}.%M [line:%L]: %m%n-->
</layout>
</appender>
....
How are the permissions for files created by RollingFileAppender
determined?
I recently changed a daemon process I have to be run as a non-root user and the files are now being created with permissions of 0600
(only readable by the owner), but I would like them to be readable by all or at least members of an admin group (0644
or 0640
). Files created by my tomcat apps are always 0644
(readable by all).
I don't know if I inadvertently changed something else or if it is something to do with permissions of that user. I made the parent directory 0777
as a test and it didn't seem to help (it was 0755
). Obviously not a big deal since I can sudo
to look at them, but rather annoying and it will be a problem if I have to have a customer copy them for me.
Environment is Ubuntu 10.04LTS using jsvc/commons-daemon
to run the daemon. In case it matters here is the basics on my log4j
config:
<!DOCTYPE log4j:configuration SYSTEM 'log4j.dtd'>
<log4j:configuration xmlns:log4j="http://jakarta.apache.org/log4j/" debug="true">
<appender name="StdOutAppender" class="org.apache.log4j.ConsoleAppender">
<!-- only send error / fatal messages to console (catalina.out) -->
<param name="threshold" value="${log4j.StdOutAppender.threshold}" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%5p %d{ISO8601} [%t][%x] %c - %m%n" />
<!--%d{dd-MMM-yyyy HH:mm:ss.SSS} [%5p] %c{2}.%M [line:%L]: %m%n-->
</layout>
</appender>
<appender name="TimeBasedRollingFileAppender" class="org.apache.log4j.rolling.RollingFileAppender">
<param name="append" value="true" />
<param name="encoding" value="UTF-8" />
<param name="threshold" value="${log4j.TimeBasedRollingFileAppender.threshold}" />
<rollingPolicy class="org.apache.log4j.rolling.TimeBasedRollingPolicy">
<param name="FileNamePattern" value="${cloud.daemon.log4j.file.config.path}.%d.gz" />
</rollingPolicy>
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%5p %d{ISO8601} [%t][%x] %c - %m%n" />
<!--%d{dd-MMM-yyyy HH:mm:ss.SSS} [%5p] %c{2}.%M [line:%L]: %m%n-->
</layout>
</appender>
....
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
发布评论
评论(5)
Log4J-core-2.9 将提供此功能 fileOwner 、FileAppender、RollingFileAppender 中 posix 操作系统的 fileGroup 和 filePermissions 以及RollingRandomAccessFileManager:
<RollingFile name="RollingFile"
fileName="mylogs.log"
filePattern="mylogs-${date:MM-dd-yyyy}-%i.log.7z"
fileOwner="log4j"
fileGroup="log4grp"
filePermissions="rw-r-----">
我意识到这是一个老问题,但由于当我搜索这个问题时,这仍然是第一次点击...
您可以简单地子类 RollingFileAppender
并在第一次打开文件时设置文件的权限,像这样:
public class WorldWritableFileAppender extends RollingFileAppender {
@Override
public synchronized void setFile(String fileName, boolean append,
boolean bufferedIO, int bufferSize) throws IOException {
super.setFile(fileName, append, bufferedIO, bufferSize);
File f = new File(fileName);
if(f.exists()) {
java.nio.file.Files.setPosixFilePermissions(f.toPath(),
EnumSet.allOf(PosixFilePermission.class));
}
}
}
然后只需在 log4j.xml
中引用 WorldWritableFileAppender
而不是 RollingFileAppender
即可。
<appender name="name" class="path.to.WorldWritableFileAppender">
这是有效的,因为在最初设置记录器时以及在翻转后创建新文件时都会调用 setFile()
。使用 File.renameTo()
将旧文件移到一边,从而保留权限。
log4j.properties 内部包括: log4j.appender.file.File=${user.home}/log
无论如何,这是我的配置,在控制台和文件“日志”中显示信息。
# Root logger option
log4j.rootLogger=DEBUG, stdout, file
# Redirect log messages to console
log4j.appender.stdout=org.apache.log4j.ConsoleAppender
log4j.appender.stdout.Target=System.out
log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
log4j.appender.stdout.layout.ConversionPattern=%d{yyyy-MM-dd HH:mm:ss} %-5p %c{1}:%L - %m%n
# Redirect log messages to a log file, support file rolling.
log4j.appender.file=org.apache.log4j.RollingFileAppender
log4j.appender.file.File=${user.home}/test
log4j.appender.file.MaxFileSize=5MB
log4j.appender.file.MaxBackupIndex=10
log4j.appender.file.layout=org.apache.log4j.PatternLayout
log4j.appender.file.layout.ConversionPattern=%d{yyyy-MM-dd HH:mm:ss} %-5p %c{1}:%L - %m%n
将其添加到您的 pom 文件中:
<plugin>
<groupId>
org.springframework.boot</groupId>
<artifactId>spring-boot-maven- plugin</artifactId>
<configuration>
<jvmArguments>
-DUMASK="0022"
-Dorg.apache.catalina.security.SecurityListener.UMASK="0022"
</jvmArguments>
</configuration>
</plugin>
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
文件权限由用户的 umask 确定 - log4j 本身无法更改它。
您可能希望将用户的 umask 设置为
0117
File permissions are determined by the user's umask - there's not a way to change it in log4j itself.
You probably want to set the user's umask to
0117