本文共 4419 字,大约阅读时间需要 14 分钟。
基于安全策略来考虑,绝大多数应用程序都应以非root用户来启动,对于轻量级的应用程序,如tomcat,用root再寻常不过了。你懂的,方便啊。在生产环境这么干很容易被攻击者通过脚本干太多的事情了。因此生产环境就还是麻烦一点吧,使用非root用户来启动。本文演示了基于非root用户启动tomcat,同时将其作为一个daemon服务随服务器自启动。
OS及tomcat版本 [root@node132 ~]# more /etc/redhat-release CentOS release 6.7 (Final) [root@node132 ~]# /usr/local/tomcat/bin/catalina.sh version Using CATALINA_BASE: /usr/local/tomcat Using CATALINA_HOME: /usr/local/tomcat Using CATALINA_TMPDIR: /usr/local/tomcat/temp Using JRE_HOME: /usr/local/src/jdk1.7.0_79 Using CLASSPATH: /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar Server version: Apache Tomcat/7.0.69 Server built: Apr 11 2016 07:57:09 UTC Server number: 7.0.69.0 OS Name: Linux OS Version: 2.6.32-573.el6.x86_64 Architecture: amd64 JVM Version: 1.7.0_79-b15 JVM Vendor: Oracle CorporationJava环境变量 [root@node132 ~]# env|grep JAVA JAVA_HOME=/usr/local/src/jdk1.7.0_79
添加tomcat用户及组 [root@node132 ~]# groupadd tomcat [root@node132 ~]# useradd -s /sbin/nologin -g tomcat tomcat [root@node132 ~]# usermod -L tomcat配置启动脚本 [root@node132 ~]# cd /usr/local/tomcat/bin/ [root@node132 bin]# tar -xf commons-daemon-native.tar.gz [root@node132 bin]# cd commons-daemon-1.0.15-native-src/unix/ [root@node132 unix]# ./configure --with-java=/usr/local/src/jdk1.7.0_79 [root@node132 unix]# make [root@node132 unix]# cp jsvc /usr/local/tomcat/bin/. [root@node132 bin]# vim daemon.sh #!/bin/sh #chkconfig: 235 80 20 ##当前行开始添加下列行 #description:tomcatd JAVA_HOME=/usr/local/src/jdk1.7.0_79 ##Author : Leshami CATALINA_HOME=/usr/local/tomcat ##Blog : http://blog.csdn.net/leshami TOMCAT_USER=tomcat #ARG0="$0" ##注释此行,用下一行替换 ARG0=/usr/local/tomcat配置自启动 [root@node132 bin]# cp daemon.sh /etc/init.d/tomcatd [root@node132 bin]# chkconfig --add tomcatd [root@node132 bin]# chkconfig tomcatd on [root@node132 bin]# chown -R tomcat:tomcat /usr/local/tomcat [root@node132 bin]# /etc/init.d/tomcatd start [root@node132 local]# ss -nltp|grep jsvc LISTEN 0 100 :::8009 :::* users:(("jsvc",15942,45)) LISTEN 0 100 :::8080 :::* users:(("jsvc",15942,44)) [root@node132 local]# ps -ef|grep tomcat root 16293 1 0 17:10 ? 00:00:00 jsvc.exec -java-home /usr/local/.. tomcat 16294 16293 2 17:10 ? 00:00:02 jsvc.exec -java-home /usr/local/..测试 [root@node132 local]# curl -I http://localhost:8080 HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Transfer-Encoding: chunked Date: Thu, 02 Nov 2017 07:35:08 GMT 直接使用su - tomcat方式来实现非root用户运行tomcat程序
[root@node132 ~]# vim /etc/init.d/tomcat #!/bin/sh # Tomcat init script for Linux. # # chkconfig: 2345 96 14 # description: The Apache Tomcat servlet/JSP container. JAVA_HOME=/usr/java/latest CATALINA_HOME=/usr/local/tomcat-su export JAVA_HOME CATALINA_HOME su - tomcat -c "exec $CATALINA_HOME/bin/catalina.sh $*" ##关键是这行 [root@node132 ~]# /etc/init.d/tomcat start ##需要解锁账户 This account is currently not available. [root@node132 ~]# usermod -U -s /bin/bash tomcat usermod: unlocking the user's password would result in a passwordless account. You should set a password with usermod -p to unlock this user's password. [root@node132 ~]# /etc/init.d/tomcat start Using CATALINA_BASE: /usr/local/tomcat Using CATALINA_HOME: /usr/local/tomcat Using CATALINA_TMPDIR: /usr/local/tomcat/temp Using JRE_HOME: /usr/local/src/jdk1.7.0_79 Using CLASSPATH: /usr/local/tomcat/bin/bootstrap.jar: Tomcat started. [root@node132 ~]# ps -ef|grep tomcat tomcat 16600 1 69 17:25 ? 00:00:02 /usr/local/src/jdk1.7 [root@node132 ~]# curl -I http://localhost:8080 HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Transfer-Encoding: chunked Date: Thu, 02 Nov 2017 09:20:54 GMT
[root@node132 ~]# sudo su - tomcat /usr/local/tomcat/bin/catalina.sh start Using CATALINA_BASE: /usr/local/tomcat Using CATALINA_HOME: /usr/local/tomcat Using CATALINA_TMPDIR: /usr/local/tomcat/temp Using JRE_HOME: /usr/local/src/jdk1.7.0_79 Using CLASSPATH: /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar Tomcat started. [root@node132 ~]# ps -ef|grep tomcat tomcat 16523 1 64 17:24 pts/0 00:00:02 /usr/local/src/jdk1.7.0_79/bin....
daemon 方式可以实现自启动,安全度高,即账号可以锁定,配置nologin,但是会多启动一个进程
su及sudo方式大同小异,两者都需要账号为启用状态,少一个进程 三种方式中,都需要将tomcat其下相关目录的所有者设定为tomcat用户及其对应的属组参考链接