Linux

按照 tomcat, security 的手冊以非 root 使用者身份啟動 tomcat

  • February 17, 2020

我閱讀了tomcat apache的手冊,他們告訴以非root身份執行tomcat,但我應該給root所有權,並且組tomcat應該只有讀取權限。只給我組tomcat讀取權限,我怎樣才能以非root身份啟動服務?這不是矛盾嗎?

來源:

Tomcat should not be run under the root user. Create a dedicated user for the 
Tomcat process and provide that user with the minimum necessary permissions 
for the operating system. For example, it should not be possible to log on 
remotely using the Tomcat user.
aking the Tomcat instances at the ASF as an example (where auto-deployment is 
disabled and web applications are deployed as exploded directories), the 
standard configuration is to have all Tomcat files owned by root with group 
Tomcat and whilst owner has read/write privileges, group only has read and 
world has no permissions. The exceptions are the logs, temp and work 
directory that are owned by the Tomcat user rather than root.

我目前以 tomcat 的身份執行該服務,權限為 750 和文件夾 /tomcat 的所有權 tomcat:tomcat 。

您應該區分兩個概念:

  • Tomcat 程序的憑據。這應該以非特權使用者身份執行:在您的範例中,使用者tomcat、組。tomcat這樣 Tomcat 就不能執行保留給使用者root的任何操作(參見不完整列表的功能)。
  • Tomcat 文件的文件權限(參見Unix 模式)。這些文件中的大多數對於 Tomcat 程序來說很容易成為只讀文件,並且可能應該如此。這通常通過將這些文件的所有者設置為root(只有所有者可以更改文件權限)、組tomcat和刪除w組和其他人的權限標誌來獲得。

所以里面$CATALINA_BASE

  • 對於 Tomcat,幾乎所有文件夾都應該是只讀的,尤其是bin,conflib,
  • webapps可以讀寫,但只有在應用部署時才需要,之後可以設置為只讀,
  • temp並且work應該是Tomcat 程序的讀寫(可能只是 Tomcat 程序)。

引用自:https://serverfault.com/questions/1003349