I noticed that each time I restart Confluence 5.9.12, permissions on confluence.cfg.xml are reset:
$ ls -l /var/atlassian/application-data/confluence/confluence.cfg.xml -rw------- 1 confluence confluence 2227 May 9 11:20 /var/atlassian/application-data/confluence/confluence.cfg.xml $ bin/start-confluence.sh To run Confluence in the foreground, start the server with start-confluence.sh -fg executing as current user If you encounter issues starting up Confluence, please see the Installation guide at http://confluence.atlassian.com/display/DOC/Confluence+Installation+Guide Server startup logs are located in /opt/atlassian/confluence/logs/catalina.out Using CATALINA_BASE: /opt/atlassian/confluence Using CATALINA_HOME: /opt/atlassian/confluence Using CATALINA_TMPDIR: /opt/atlassian/confluence/temp Using JRE_HOME: /opt/atlassian/confluence/jre/ Using CLASSPATH: /opt/atlassian/confluence/bin/bootstrap.jar:/opt/atlassian/confluence/bin/tomcat-juli.jar Using CATALINA_PID: /opt/atlassian/confluence/work/catalina.pid Tomcat started. $ ls -l /var/atlassian/application-data/confluence/confluence.cfg.xml -rw-rw-r-- 1 confluence confluence 2227 May 9 13:08 /var/atlassian/application-data/confluence/confluence.cfg.xml
Notice that the permission was reset from 600 to 664 above.
This introduces security risks since the file is readable by everyone and it might (and normally does) contain db credentials.
Is there a way to ask Confluence not to reset the premissions?
Technically, Confluence isn't changing the permissions on the existing file. It actually recreates confluence.cfg.xml at launch, this 'new' file will have whatever the default permissions are set in the umask settings you have.
You can confirm the file creation via
You could change the default permissions for the Linux user that is used to start Confluence. There is a deep-dive into setting this at What is Umask and How To Setup Default umask Under Linux?
If you just want to set is for specific directories you could instead use setfacl. This appears to be a good resource, Linux setfacl command
I didn't test really far back but 5.9.x and 6.1.x both exhibit this behavior.
This community is celebrating its one-year anniversary and Atlassian co-founder Mike Cannon-Brookes has all the feels.Read more
Hi Community! Kesha (kay-sha) from the Confluence marketing team here! Can you share stories with us on how your non-technical (think Marketing, Sales, HR, legal, etc.) teams are using Confluen...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs