> In the current debian packaging of tomcat9 all its logs are consistent in their ownership
Is there consistency? Because some other package like 'jetty9' is writing as 'root:adm' while `tomcat9` package 'tomcat:adm'. So I can say that between different packages, there is no consistency in who owns the logs.
Yes, within the `/var/log/tomcat9` one can claim that the files are owned by same 'user:group'. Therefore consistent. But I do not see what positive effect does it bring?
It is actually not good that the logs are owned by `tomcat` user anyway, at least from a security point. This is a user which executes a web server. Can read own logs. So it would make more sense to go to `root:adm` by default. Yes, there is the elephant in the room as `tomcat` itself is writing logs there and there is no easy way to make those logs unreadable by tomcat as it rotates them also. But that is something we do not have to touch.
> In the current debian packaging of tomcat9 all its logs are consistent in their ownership
Is there consistency? Because some other package like 'jetty9' is writing as 'root:adm' while `tomcat9` package 'tomcat:adm'. So I can say that between different packages, there is no consistency in who owns the logs.
Yes, within the `/var/log/tomcat9` one can claim that the files are owned by same 'user:group'. Therefore consistent. But I do not see what positive effect does it bring?
It is actually not good that the logs are owned by `tomcat` user anyway, at least from a security point. This is a user which executes a web server. Can read own logs. So it would make more sense to go to `root:adm` by default. Yes, there is the elephant in the room as `tomcat` itself is writing logs there and there is no easy way to make those logs unreadable by tomcat as it rotates them also. But that is something we do not have to touch.