Resolving Tomcat Log File Permission Issues by Adjusting UMASK

The article begins by describing the environment where program files on online machines, including Tomcat itself, run under an APP account with its Bash shell disabled, and users log in via unified authentication, each with personal accounts.

Log files are created with permissions "rw-r-r" (0644) because the system's default UMASK is 0022, which subtracts from the base permissions (777 for directories, 666 for files). The author demonstrates the current UMASK with the command:

[root@localhost ~]# umask 0022

However, after deploying Tomcat, the generated log file catalina.out and its rotated versions have permissions 640 ("rw-r-----"), making them unreadable for developers who log in with other users.

Example file listings show the restrictive permissions:

-rw-r----- 1 app app 356K 12月 08 19:09 catalina.out -rw-r----- 1 app app 33M 12月 05 11:30 catalina.out.4.gz -rw-r----- 1 app app 31M 12月 06 08:44 catalina.out.3.gz -rw-r----- 1 app app 31M 12月 07 10:02 catalina.out.2.gz -rw-r----- 1 app app 45M 12月 08 19:09 catalina.out.1.gz

The root cause is that Tomcat's startup script ( catalina.sh ) resets the UMASK to its default value of 0027, which differs from the OS default of 0022. To fix the issue, edit catalina.sh and change the line that sets UMASK from "0027" to "0022" (or to the desired system UMASK).

After updating the script, Tomcat will inherit the correct UMASK, and newly created log files will have the expected permissions, allowing all developers to read them.