非root用户tomcat daemon配置

╰半橙微兮° 2022-06-06 07:35 173阅读 0赞

基于安全策略来考虑，绝大多数应用程序都应以非root用户来启动，对于轻量级的应用程序，如tomcat，用root再寻常不过了。你懂的，方便啊。在生产环境这么干很容易被攻击者通过脚本干太多的事情了。因此生产环境就还是麻烦一点吧，使用非root用户来启动。本文演示了基于非root用户启动tomcat，同时将其作为一个daemon服务随服务器自启动。

## 一、演示环境描述 ##

OS及tomcat版本
      [root@node132 ~]# more /etc/redhat-release
      CentOS release 6.7 (Final)
      [root@node132 ~]# /usr/local/tomcat/bin/catalina.sh version
      Using CATALINA_BASE: /usr/local/tomcat
      Using CATALINA_HOME: /usr/local/tomcat
      Using CATALINA_TMPDIR: /usr/local/tomcat/temp
      Using JRE_HOME: /usr/local/src/jdk1.7.0_79
      Using CLASSPATH: /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
      Server version: Apache Tomcat/7.0.69
      Server built: Apr 11 2016 07:57:09 UTC
      Server number: 7.0.69.0
      OS Name: Linux
      OS Version: 2.6.32-573.el6.x86_64
      Architecture: amd64
      JVM Version: 1.7.0_79-b15
      JVM Vendor: Oracle Corporation
    
    Java环境变量
      [root@node132 ~]# env|grep JAVA
      JAVA_HOME=/usr/local/src/jdk1.7.0_79

## 二、配置tomcat daemon服务及自启动 ##

添加tomcat用户及组
      [root@node132 ~]# groupadd tomcat
      [root@node132 ~]# useradd -s /sbin/nologin -g tomcat tomcat
      [root@node132 ~]# usermod -L tomcat
    
    配置启动脚本
      [root@node132 ~]# cd /usr/local/tomcat/bin/
      [root@node132 bin]# tar -xf commons-daemon-native.tar.gz
      [root@node132 bin]# cd commons-daemon-1.0.15-native-src/unix/
      [root@node132 unix]# ./configure --with-java=/usr/local/src/jdk1.7.0_79
      [root@node132 unix]# make
      [root@node132 unix]# cp jsvc /usr/local/tomcat/bin/.
    
      [root@node132 bin]# vim daemon.sh
      #!/bin/sh
    
      #chkconfig: 235 80 20 ##当前行开始添加下列行
      #description:tomcatd
    
      JAVA_HOME=/usr/local/src/jdk1.7.0_79 ##Author : Leshami
      CATALINA_HOME=/usr/local/tomcat ##Blog : http://blog.csdn.net/leshami
      TOMCAT_USER=tomcat
    
      #ARG0="$0" ##注释此行，用下一行替换
      ARG0=/usr/local/tomcat 配置自启动 [root@node132 bin]# cp daemon.sh /etc/init.d/tomcatd
      [root@node132 bin]# chkconfig --add tomcatd
      [root@node132 bin]# chkconfig tomcatd on
    
      [root@node132 bin]# chown -R tomcat:tomcat /usr/local/tomcat
      [root@node132 bin]# /etc/init.d/tomcatd start
    
      [root@node132 local]# ss -nltp|grep jsvc
      LISTEN 0 100 :::8009 :::* users:(("jsvc",15942,45))
      LISTEN 0 100 :::8080 :::* users:(("jsvc",15942,44))
    
      [root@node132 local]# ps -ef|grep tomcat
      root 16293 1 0 17:10 ? 00:00:00 jsvc.exec -java-home /usr/local/..
      tomcat 16294 16293 2 17:10 ? 00:00:02 jsvc.exec -java-home /usr/local/..
    
    测试
      [root@node132 local]# curl -I http://localhost:8080
      HTTP/1.1 200 OK
      Server: Apache-Coyote/1.1
      Content-Type: text/html;charset=ISO-8859-1
      Transfer-Encoding: chunked
      Date: Thu, 02 Nov 2017 07:35:08 GMT

## 三、基于su命令实现非root非daemon方式 ##

直接使用su - tomcat方式来实现非root用户运行tomcat程序

[root@node132 ~]# vim /etc/init.d/tomcat
      #!/bin/sh
      # Tomcat init script for Linux.
      #
      # chkconfig: 2345 96 14
      # description: The Apache Tomcat servlet/JSP container.
      JAVA_HOME=/usr/java/latest
      CATALINA_HOME=/usr/local/tomcat-su
      export JAVA_HOME CATALINA_HOME
      su - tomcat -c "exec $CATALINA_HOME/bin/catalina.sh $*" ##关键是这行
    
      [root@node132 ~]# /etc/init.d/tomcat start ##需要解锁账户
      This account is currently not available.
    
      [root@node132 ~]# usermod -U -s /bin/bash tomcat
      usermod: unlocking the user's password would result in a passwordless account.
      You should set a password with usermod -p to unlock this user's password.
      [root@node132 ~]# /etc/init.d/tomcat start
      Using CATALINA_BASE: /usr/local/tomcat
      Using CATALINA_HOME: /usr/local/tomcat
      Using CATALINA_TMPDIR: /usr/local/tomcat/temp
      Using JRE_HOME: /usr/local/src/jdk1.7.0_79
      Using CLASSPATH: /usr/local/tomcat/bin/bootstrap.jar:
      Tomcat started.
    
      [root@node132 ~]# ps -ef|grep tomcat
      tomcat 16600 1 69 17:25 ? 00:00:02 /usr/local/src/jdk1.7
    
      [root@node132 ~]# curl -I http://localhost:8080
      HTTP/1.1 200 OK
      Server: Apache-Coyote/1.1
      Content-Type: text/html;charset=ISO-8859-1
      Transfer-Encoding: chunked
      Date: Thu, 02 Nov 2017 09:20:54 GMT

## 四、基于sudo命令实现非root非daemon方式 ##

[root@node132 ~]# sudo su - tomcat /usr/local/tomcat/bin/catalina.sh start Using CATALINA_BASE: /usr/local/tomcat Using CATALINA_HOME: /usr/local/tomcat Using CATALINA_TMPDIR: /usr/local/tomcat/temp Using JRE_HOME: /usr/local/src/jdk1.7.0_79 Using CLASSPATH: /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar Tomcat started. [root@node132 ~]# ps -ef|grep tomcat tomcat 16523 1 64 17:24 pts/0 00:00:02 /usr/local/src/jdk1.7.0_79/bin....

## 五、三种方式比较 ##

daemon 方式可以实现自启动，安全度高，即账号可以锁定，配置nologin，但是会多启动一个进程  
  su及sudo方式大同小异，两者都需要账号为启用状态，少一个进程  
  三种方式中，都需要将tomcat其下相关目录的所有者设定为tomcat用户及其对应的属组

参考链接 [http://tomcat.apache.org/tomcat-7.0-doc/setup.html][http_tomcat.apache.org_tomcat-7.0-doc_setup.html]

[![DBA牛鹏社(SQL/NOSQL/LINUX)][DBA_SQL_NOSQL_LINUX]][DBA_SQL_NOSQL_LINUX_DBA_SQL_NOSQL_LINUX]

[http_tomcat.apache.org_tomcat-7.0-doc_setup.html]: http://tomcat.apache.org/tomcat-7.0-doc/setup.html
[DBA_SQL_NOSQL_LINUX]: http://pub.idqqimg.com/wpa/images/group.png
[DBA_SQL_NOSQL_LINUX_DBA_SQL_NOSQL_LINUX]: /images/20220606/2adf2b467f4140df80ff323b29358c4c.png