我阅读了tomcat apache的手册,他们告诉以非root身份运行tomcat,但我应该给root所有权,并且组tomcat应该只有读取权限。只给我组tomcat读取权限,我怎样才能以非root身份启动服务?这不是矛盾吗?
资源:
Tomcat should not be run under the root user. Create a dedicated user for the
Tomcat process and provide that user with the minimum necessary permissions
for the operating system. For example, it should not be possible to log on
remotely using the Tomcat user.
aking the Tomcat instances at the ASF as an example (where auto-deployment is
disabled and web applications are deployed as exploded directories), the
standard configuration is to have all Tomcat files owned by root with group
Tomcat and whilst owner has read/write privileges, group only has read and
world has no permissions. The exceptions are the logs, temp and work
directory that are owned by the Tomcat user rather than root.
我目前以 tomcat 的身份运行该服务,权限为 750 和文件夹 /tomcat 的所有权 tomcat:tomcat 。
您应该区分两个概念:
tomcat、组。tomcat这样 Tomcat 就不能执行保留给用户root的任何操作(参见不完整列表的功能)。root(只有所有者可以更改文件权限)、组tomcat和删除w组和其他人的权限标志来获得。所以里面
$CATALINA_BASE:bin,conf和lib,webapps可以读写,但只有在应用部署时才需要,之后可以设置为只读,temp并且work应该是Tomcat 进程的读写(可能只是 Tomcat 进程)。