Contegix turned me on to daemontools which is a great way to manage services you need to keep alive. A great use for it is managing multiple Apache Tomcat instances which can each be easily be configured to run under different users with different options.
I was recently running into a problem where a webapp running in Tomcat didn’t have access to a particular directory mounted via fuse. I could verify that the user Tomcat was running under had access to the directory by logging in as that user then creating a file there. WTF?
Turns out the run script being used for the Tomcat service was using the daemontools program setuidgid
, i.e.
exec setuidgid ${USER+"$USER"} ./bin/catalina.sh run
and the daemontools manual for that program states that it removes “all supplementary groups“. Doh!
The Tomcat user’s access to this particular directory is in fact granted based on a secondary group membership and in this case should really stay that way. setuidgid
only allows a single user argument that’s used for both the user and group so I couldn’t change the running group and there’s no option to keep the user’s secondary groups.
Instead I opted to use su
instead of setuidgid
which leaves the secondary groups intact and gave the desired access to the directory:
exec su ${USER+"$USER"} -c "./bin/catalina.sh run"
Run catalina, run.