我阅读了 tomcat apache 的手册,其中说要以非 root 身份运行 tomcat,但我应该将所有权授予 root,而 tomcat 组应该只具有读取权限。如果我只授予 tomcat 组读取权限,我该如何以非 root 身份启动服务?这难道不矛盾吗?
来源:
Tomcat should not be run under the root user. Create a dedicated user for the
Tomcat process and provide that user with the minimum necessary permissions
for the operating system. For example, it should not be possible to log on
remotely using the Tomcat user.
aking the Tomcat instances at the ASF as an example (where auto-deployment is
disabled and web applications are deployed as exploded directories), the
standard configuration is to have all Tomcat files owned by root with group
Tomcat and whilst owner has read/write privileges, group only has read and
world has no permissions. The exceptions are the logs, temp and work
directory that are owned by the Tomcat user rather than root.
我当前以 tomcat 的身份运行该服务,其权限为 750,文件夹 /tomcat 的所有权为 tomcat:tomcat。
答案1
你应该区分两个概念:
- 这证书Tomcat 进程。这应该以非特权用户身份运行:示例中为用户
tomcat、组。这样,Tomcat 就无法执行任何保留给用户的操作tomcat根(参见能力(不完整列表)。 - Tomcat 文件的文件权限(参见Unix 模式)。这些文件中的大多数文件对于 Tomcat 进程来说很容易是只读的,而且可能应该如此。这通常是通过将这些文件的所有者设置为
root(只有所有者可以更改文件权限)、将组设置为tomcat并删除w组和其他人的权限标志来实现的。
因此里面$CATALINA_BASE:
- 对于 Tomcat 来说,几乎所有文件夹都应该是只读的,尤其是
bin、conf和lib, webapps可以是读写的,但仅在应用程序部署期间才需要,之后可以将其设置为只读,temp并且work应该读写对于 Tomcat 进程(可能只是 Tomcat 进程)。