4

I want to run Tomcat 7 as a user on CentOS 6. I've created a user tomcat:tomcat and changed the ownership under /var/lib/apache-tomcat* etc...

There are lots of docs online on how to do that but I don't think they are current. Most of them indicate that you do it as below. Problem is... this technique will bomb because the tomcat startup etc scripts can't write to the PID due to lower permissions on the file system. I don't want to start loosening write permissions on the file system. The goal is to increase security.

What is the better way to do this? I'm surprised there is not a "canned" init script for tomcat. I know it's not complicated. But why do we have to keep reinventing the wheel?

Thanks

I've been using this one for years. I don't recall where I got it. I just added /bin/su tomcat.

# Startup script for the Jakarta Tomcat Java Servlets and JSP server
#
# chkconfig: - 85 15
# description: Jakarta Tomcat Java Servlets and JSP server
# processname: tomcat
# pidfile: /var/run/tomcat.pid
# config:

# Source function library.
. /etc/rc.d/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0

# Set Tomcat environment.
export JAVA_HOME=/usr/lib/jvm/java/
#export CLASSPATH=.:/usr/local/j2sdk/lib/tools.jar:/usr/local/j2re/lib/rt.jar
export CATALINA_HOME=/var/lib/tomcat
#export CATALINA_OPTS="-server -Xms64m -Xmx512m -Dbuild.compiler.emacs=true"
#export PATH=/usr/local/j2sdk/bin:/usr/local/j2re/bin:$PATH
export CATALINA_PID=/var/run/tomcat.pid

[ -f $CATALINA_HOME/bin/startup.sh ] || exit 0
[ -f $CATALINA_HOME/bin/shutdown.sh ] || exit 0

export PATH=$PATH:/usr/bin:/usr/local/bin

# See how we were called.
case "$1" in
  start)
        # Start daemon.
        echo -n "Starting Tomcat: "
        /bin/su tomcat $CATALINA_HOME/bin/startup.sh
        RETVAL=$?
        echo
        [ $RETVAL = 0 ] && touch /var/lock/subsys/tomcat
        ;;
  stop)
        # Stop daemons.
        echo -n "Shutting down Tomcat: "
        /bin/su tomcat $CATALINA_HOME/bin/shutdown.sh
        RETVAL=$?
        echo
        [ $RETVAL = 0 ] && rm -f /var/lock/subsys/tomcat
        ;;
  restart)
        $0 stop
        sleep 1
        $0 start
        ;;
  condrestart)
       [ -e /var/lock/subsys/tomcat ] && $0 restart
       ;;
  status)
        status tomcat
        ;;
  *)
        echo "Usage: $0 {start|stop|restart|status}"
        exit 1
esac

exit 0
PrecisionPete
  • 231
  • 3
  • 10
  • Why don't you just install the `tomcat` package provided by your distribution, that already has a dedicated user and a tested `init` script? IIRC, there are both `tomcat` versions 6 and 7 available in the repos. – dawud Mar 22 '14 at 21:38
  • I did look at the tomcat-wsvc package. I've been running versions newer than seem to be available in the rpm. Also, they have a lot of dependencies that I don't need. Keeping it simple. All I want to do it run it as a daemon under a user account. I am surprised I can't get the supplied Tomcat daemon.sh to work. Should not be this hard. – PrecisionPete Mar 23 '14 at 03:30
  • Have you installed tomcat yourself to run it as non-privileged user then you should be able to create the pid file else it will throw exception as you have mentioned. – Pratap Sep 12 '14 at 08:18

2 Answers2

1

Most likely, the permissions of the /var/run dir as on my machine are:

drwxr-xr-x 24 root root 740 Mar 22 11:48 run

So this folder is only writable by root. Your script is switching to user tomcat before starting the service, so this won't work.

The script should make use of a tool like start-stop-daemon which is able to tee out the PID file as root while starting the service under a given UID.

See this script as an example of an init script which is using start-stop-daemon.

Community
  • 1
vanthome
  • 730
  • 5
  • 13
  • Interesting. It seems to be part of Debian. Is it safe to use on CentOS? Or is there a RHEL equivalent technique? – PrecisionPete Mar 22 '14 at 20:22
  • RedHat/CentOS has `daemon` where Debian has `start-stop-daemon`. Have a look at the answers here: http://stackoverflow.com/questions/394984/best-practice-to-run-linux-service-as-a-different-user – zhenech Mar 22 '14 at 21:25
  • I later discovered Tomcat supplies daemon.sh that looks like it's supposed to do all of this. But after setting up the obvious environment variables, I still can't get it to work. Should be easier than this... – PrecisionPete Mar 23 '14 at 03:32
  • I don't know CentOS, I'm using Gentoo and there it's the standard for this job but I'm 100% sure Centos has an equivalent. Yes, some programs ship such scripts with them, I think you should try to get that one to work. – vanthome Mar 23 '14 at 09:10
1

One other option is to make a directory /var/run/tomcat and chown it to tomcat:tomcat. Then change your init script to

# pidfile: /var/run/tomcat/tomcat.pid

export CATALINA_PID=/var/run/tomcat/tomcat.pid
dmourati
  • 25,540
  • 2
  • 42
  • 72