默认情况下,Tomcat是以root权限运行的,这样权限太大了;对于开发人员必须要降权运行;建立一个普通用户供开发人员发布项目及重启服务等;
建立普通用户:
useradd usertest
echo "123456"|passwd --stdin usertest
注意问题:
- 运行Tomcat的环境变量可以直接写在/etc/profile文件中,或者直接写在用户家目录下的:~/.bash_profile文件中;
- 在Tomcat的bin目录中的startup.sh和shutdown.sh脚本文件中也加入上面的环境变量;
添加启动脚本:
#!/bin/bash
#
# chkconfig: - 95 15
# description: Tomcat start/stop/status script
#Author:swper
#Email:hz328@58jb.com
#Location of JAVA_HOME (bin files)
export JAVA_HOME=/usr/local/java7
export JRE_HOME=$JAVA_HOME/jre
export CLASSPATH=$CLASSPATH:./:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar
export PATH=$PATH:/usr/local/java7/bin
#Add Java binary files to PATH
export PATH=$JAVA_HOME/bin:$PATH
#CATALINA_HOME is the location of the configuration files of this instance of Tomcat
CATALINA_HOME=/usr/local/tomcat7
#TOMCAT_USER is the default user of tomcat
TOMCAT_USER=root
#TOMCAT_USAGE is the message if this script is called without any options
TOMCAT_USAGE="Usage: $0 {\e[00;32mstart\e[00m|\e[00;31mstop\e[00m|\e[00;32mstatus\e[00m|\e[00;31mrestart\e[00m}"
#SHUTDOWN_WAIT is wait time in seconds for java proccess to stop
SHUTDOWN_WAIT=10
tomcat_pid() {
echo `ps -ef | grep $CATALINA_HOME | grep -v grep | tr -s " "|cut -d" " -f2`
}
start() {
pid=$(tomcat_pid)
if [ -n "$pid" ];then
echo -e "\e[00;31mTomcat is already running (pid: $pid)\e[00m"
else
echo -e "\e[00;32mStarting tomcat\e[00m"
if [ `user_exists $TOMCAT_USER` = "1" ];then
sudo $CATALINA_HOME/bin/startup.sh
else
sudo $CATALINA_HOME/bin/startup.sh
fi
status
fi
return 0
}
status(){
pid=$(tomcat_pid)
if [ -n "$pid" ];then
echo -e "\e[00;32mTomcat is running with pid: $pid\e[00m"
else
echo -e "\e[00;31mTomcat is not running\e[00m"
fi
}
stop() {
pid=$(tomcat_pid)
if [ -n "$pid" ];then
echo -e "\e[00;31mStoping Tomcat\e[00m"
sudo $CATALINA_HOME/bin/shutdown.sh
let kwait=$SHUTDOWN_WAIT
count=0;
until [ `ps -p $pid | grep -c $pid` = "0" ] || [ $count -gt $kwait ]
do
echo -n -e "\e[00;31mwaiting for processes to exit\e[00m\n";
sleep 1
let count=$count+1;
done
if [ $count -gt $kwait ];then
echo -n -e "\n\e[00;31mkilling processes which didn't stop after $SHUTDOWN_WAIT seconds\e[00m"
kill -9 $pid
fi
else
echo -e "\e[00;31mTomcat is not running\e[00m"
fi
return 0
}
user_exists(){
if id -u $1 >/dev/null 2>&1; then
echo "1"
else
echo "0"
fi
}
case $1 in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
status)
status
;;
*)
echo -e $TOMCAT_USAGE
;;
esac
exit 0
加入可执行权限:
chmod +x /etc/init.d/tomcat
修改Tomcat程序的权限:
chown -R usertest:usertest /usr/local/tomcat7
sudo授权:
cat >/etc/sudoers<<-EOF
##=======================================
#User group
User_Alias MONITOR = usertest
## Restart Tomcat service.
#Cmnd_Alias RESTART_SSH = /sbin/service sshd restart
Cmnd_Alias RESTART_TOMCAT = /usr/local/tomcat7/bin/startup.sh, /usr/local/tomcat7/bin/shutdown.sh
## Restart mysqld service.
Cmnd_Alias RESTART_MYSQL = /etc/init.d/mysqld restart,/sbin/service mysqld restart
## monitor can only restart tomcat and mysqld.
MONITOR ALL=(ALL) NOPASSWD: RESTART_TOMCAT,RESTART_MYSQL
##=======================================
EOF
上面授权配置中,添加了Tomcat的启动脚本和Mysql的启动授权;利用sudo 命令,这样以最小权限运行程序;
启动方法:
Tomcat:
service tomcat [start|restart|stop]
Mysql:
sudo service mysqld restart
这样一来就降低了权限,同时也解决了Tomcat无法以普通用户运行在80端口的问题;