At this stage, the Tomcat packages, files and binaries are owned by root. We will first need to create a Tomcat user and group that will own these files, and under which Tomcat will run.
Tomcat User :: tomcat
Tomcat Group :: tomcat
Not too imaginative, huh ? We will now create the Tomcat user and group. Open a terminal window and, as root,
# groupadd tomcat
# useradd -g tomcat -d /opt/tomcat tomcat
# passwd tomcat
Notice that we specified the home directory of Tomcat to be /opt/tomcat. Some people believe that this is good practice because it eliminates an additional home directory that needs to be administered.
Now, we will put everything in /opt/tomcat under Tomcat user and group. As root,
# chown -R tomcat:tomcat /opt/tomcat
Now, we will put everything in /opt/tomcat under Tomcat user and group. As root,
# chown -R tomcat:tomcat /opt/tomcat
If /opt/tomcat is a symlink to your Tomcat install directory, you'll need to do this:
# chown -R tomcat:tomcat /opt/jakarta-tomcat-5.x.xx
# chown -R tomcat:tomcat /opt/jakarta-tomcat-5.x.xx
Verify that JAVA_HOME and CATALINA_HOME environment variables are setup for tomcat user, and you should be good to go. Once the Tomcat binaries are under Tomcat user, the way you invoke it will be different.
To start Tomcat,
# su - tomcat -c /opt/tomcat/bin/startup.sh
To start Tomcat,
# su - tomcat -c /opt/tomcat/bin/startup.sh
To stop Tomcat,
# su - tomcat -c /opt/tomcat/bin/shutdown.sh
# su - tomcat -c /opt/tomcat/bin/shutdown.sh
Also, be aware that your web applications will need to be deployed (i.e. copied to the web application directories) as user tomcat, instead of root. A little more hassle, but possibly a little safer too.
Note that, the JVM is a virtual machine with many threads under the same process. Therefore, because of OS constraints - all threads in the same process must run under the same user id. No thread may run as root unless they are all root. This is a limitation of the JVM.
Apache doesn't have this limitation since it uses multiple processes to do its work.
In Linux, a process can start as root, do some work then change its user id to something less via a OS system call. But once you switch down, you're stuck and can't go back.
No comments:
Post a Comment