基于安全策略来考虑,绝大多数应用程序都应以非root用户来启动,对于轻量级的应用程序,如tomcat,用root再寻常不过了。你懂的,方便啊。在生产环境这么干很容易被攻击者通过脚本干太多的事情了。因此生产环境就还是麻烦一点吧,使用非root用户来启动。本文演示了基于非root用户启动tomcat,同时将其作为一个daemon服务随服务器自启动。
一、演示环境描述
OS及tomcat版本
[root@node132 ~]# more /etc/redhat-release
CentOS release 6.7 (Final)
[root@node132 ~]# /usr/local/tomcat/bin/catalina.sh version
Using CATALINA_BASE: /usr/local/tomcat
Using CATALINA_HOME: /usr/local/tomcat
Using CATALINA_TMPDIR: /usr/local/tomcat/temp
Using JRE_HOME: /usr/local/src/jdk1.7.0_79
Using CLASSPATH: /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
Server version: Apache Tomcat/7.0.69
Server built: Apr 11 2016 07:57:09 UTC
Server number: 7.0.69.0
OS Name: Linux
OS Version: 2.6.32-573.el6.x86_64
Architecture: amd64
JVM Version: 1.7.0_79-b15
JVM Vendor: Oracle Corporation
Java环境变量
[root@node132 ~]# env|grep JAVA
JAVA_HOME=/usr/local/src/jdk1.7.0_79
二、配置tomcat daemon服务及自启动
添加tomcat用户及组
[root@node132 ~]# groupadd tomcat
[root@node132 ~]# useradd -s /sbin/nologin -g tomcat tomcat
[root@node132 ~]# usermod -L tomcat
配置启动脚本
[root@node132 ~]# cd /usr/local/tomcat/bin/
[root@node132 bin]# tar -xf commons-daemon-native.tar.gz
[root@node132 bin]# cd commons-daemon-1.0.15-native-src/unix/
[root@node132 unix]# ./configure --with-java=/usr/local/src/jdk1.7.0_79
[root@node132 unix]# make
[root@node132 unix]# cp jsvc /usr/local/tomcat/bin/.
[root@node132 bin]# vim daemon.sh
#!/bin/sh
#chkconfig: 235 80 20 ##当前行开始添加下列行
#description:tomcatd
JAVA_HOME=/usr/local/src/jdk1.7.0_79 ##Author : Leshami
CATALINA_HOME=/usr/local/tomcat ##Blog : http://blog.csdn.net/leshami
TOMCAT_USER=tomcat
#ARG0="$0" ##注释此行,用下一行替换
ARG0=/usr/local/tomcat
配置自启动
[root@node132 bin]# cp daemon.sh /etc/init.d/tomcatd
[root@node132 bin]# chkconfig --add tomcatd
[root@node132 bin]# chkconfig tomcatd on
[root@node132 bin]# chown -R tomcat:tomcat /usr/local/tomcat
[root@node132 bin]# /etc/init.d/tomcatd start
[root@node132 local]# ss -nltp|grep jsvc
LISTEN 0 100 :::8009 :::* users:(("jsvc",15942,45))
LISTEN 0 100 :::8080 :::* users:(("jsvc",15942,44))
[root@node132 local]# ps -ef|grep tomcat
root 16293 1 0 17:10 ? 00:00:00 jsvc.exec -java-home /usr/local/..
tomcat 16294 16293 2 17:10 ? 00:00:02 jsvc.exec -java-home /usr/local/..
测试
[root@node132 local]# curl -I http://localhost:8080
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Thu, 02 Nov 2017 07:35:08 GMT
三、基于su命令实现非root非daemon方式
直接使用su - tomcat方式来实现非root用户运行tomcat程序
[root@node132 ~]# vim /etc/init.d/tomcat
#!/bin/sh
# Tomcat init script for Linux.
#
# chkconfig: 2345 96 14
# description: The Apache Tomcat servlet/JSP container.
JAVA_HOME=/usr/java/latest
CATALINA_HOME=/usr/local/tomcat-su
export JAVA_HOME CATALINA_HOME
su - tomcat -c "exec $CATALINA_HOME/bin/catalina.sh $*" ##关键是这行
[root@node132 ~]# /etc/init.d/tomcat start ##需要解锁账户
This account is currently not available.
[root@node132 ~]# usermod -U -s /bin/bash tomcat
usermod: unlocking the user's password would result in a passwordless account.
You should set a password with usermod -p to unlock this user's password.
[root@node132 ~]# /etc/init.d/tomcat start
Using CATALINA_BASE: /usr/local/tomcat
Using CATALINA_HOME: /usr/local/tomcat
Using CATALINA_TMPDIR: /usr/local/tomcat/temp
Using JRE_HOME: /usr/local/src/jdk1.7.0_79
Using CLASSPATH: /usr/local/tomcat/bin/bootstrap.jar:
Tomcat started.
[root@node132 ~]# ps -ef|grep tomcat
tomcat 16600 1 69 17:25 ? 00:00:02 /usr/local/src/jdk1.7
[root@node132 ~]# curl -I http://localhost:8080
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Thu, 02 Nov 2017 09:20:54 GMT
四、基于sudo命令实现非root非daemon方式
[root@node132 ~]# sudo su - tomcat /usr/local/tomcat/bin/catalina.sh start
Using CATALINA_BASE: /usr/local/tomcat
Using CATALINA_HOME: /usr/local/tomcat
Using CATALINA_TMPDIR: /usr/local/tomcat/temp
Using JRE_HOME: /usr/local/src/jdk1.7.0_79
Using CLASSPATH: /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
Tomcat started.
[root@node132 ~]# ps -ef|grep tomcat
tomcat 16523 1 64 17:24 pts/0 00:00:02 /usr/local/src/jdk1.7.0_79/bin....
五、三种方式比较
daemon 方式可以实现自启动,安全度高,即账号可以锁定,配置nologin,但是会多启动一个进程
su及sudo方式大同小异,两者都需要账号为启用状态,少一个进程
三种方式中,都需要将tomcat其下相关目录的所有者设定为tomcat用户及其对应的属组