2014-10-08 22:48 GMT+04:00 Mark Thomas <ma...@apache.org>:
> On 08/10/2014 19:36, Konstantin Kolinko wrote:
>> 2014-10-08 18:05 GMT+04:00 <ma...@apache.org>:
>>> Author: markt
>>> Date: Wed Oct 8 14:05:22 2014
>>> New Revision: 1630110
>>>
>>> URL: http://svn.apache.org/r1630110
>>> Log:
>>> Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=47919
>>> Extend the information logged when Tomcat starts to optionally include
>>> (enabled by default) the values of key environment variables.
>>
>(...)
>
>> 3. catalina.sh/catalina.bat already logs a number of those variables.
>
> Indeed but if you read the bug report you'll see what strikes me as a
> reasonable use case.
>
> An alternative approach would be to log the CATALINA_BASE and
> CATALINA_HOME system properties (since Tomcat uses these)
I am OK to log ${catalina.home}, ${catalina.base}, ${java.home},
${java.class.path}
For a reference,
http://docs.oracle.com/javase/8/docs/api/java/lang/System.html#getProperties--
I do not mind against logging of process environment variables, if it
is disabled by default. I would rather log all environment variables
(get map via System.getenv() and sort by key) instead of hard-coding
the list of ones used by the scripts.
Motivation for disabling env logging by default:
a) I do not believe that this works, as the variables are not exported.
(I cannot test on an *nix system today. Maybe you have sample output?)
b) Confusion for Windows service users.
(They sometimes set system environment variables and expect service
wrapper to use them. Logging the env values may give them a wrong idea
as if those values matter).
c) Security concerns
> along with the
> result of ManagementFactory.getRuntimeMXBean().getInputArguments()
Interesting. I have no experience with that MBean though.
As an example, Eclipse IDE logs its arguments. E.g.
${workspace}/.metadata/.log file starts with:
[[[
!SESSION 2014-10-02 16:55:44.313 -----------------------------------------------
eclipse.buildId=4.4.0.I20140606-1215
java.version=1.7.0_67
java.vendor=Oracle Corporation
BootLoader constants: OS=win32, ARCH=x86, WS=win32, NL=ru_RU
Framework arguments: -product org.eclipse.epp.package.jee.product
Command-line arguments: -os win32 -ws win32 -arch x86 -product
org.eclipse.epp.package.jee.product
]]]
If I remember correctly, in jvm crash logs the command line arguments
are also listed.
I am OK to enable such logging by default, but it would be better to
also have an option to be able to turn off such logging. I think
that somebody may see indiscriminate logging of java arguments as a
security concern. I do not see this as security issue, as I expect
those to be visible with "ps" command, and thus passing sensitive
information via such arguments is a bad idea.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
