Tomcat7 ubuntu user owner

2019-05-09 06:10发布

问题:

By default settings on Ubuntu tomcat7 runs under 'tomcat7' user and group. I want to change it, cause I can't upload via sftp files to the directories, which are created by 'tomcat7' process.

Changing TOMCAT7_USER TOMCAT7_GROUP in /etc/init.d/tomcat7 and restarting the service doesn't help..

回答1:

I'd start by reverting your /etc/init.d/tomcat7 file back to what it originally was. Only in very rare cases do you want to manually edit files relating to init in /etc. If there's a built-in tool for that purpose, use the tool.

Use chown to change either the user or the user and the group of the directory you're trying to upload to.

For example, if the directory you're trying to upload to is something like /home/tomcat7/new_directory, do this:

cd /home/tomcat7
chown tomcat7:staff new_directory

Then new_directory will still be owned by tomcat7, but any user in the group staff will now have group permissions for new_directory.

If you need to add your username to the group staff, you can use

usermod -aG staff username

Where username is the name of the user you want uploading the files to new_directory.

If it still doesn't work after that, you might also want to check permissions on that directory.

MtWoRw@WorkVM:/home/tomcat7$ ls -l
total 8
drwxr-xr-x 2 tomcat7 tomcat7 4096 Oct  2 17:02 new_directory
-rw-r--r-- 1 tomcat7 tomcat7    6 Oct  2 17:03 regular_file.txt
MtWoRw@WorkVM:/home/tomcat7$  

The d indicates it's a directory, the next three spots indicate what the user/owner of the directory can do, the three spots after that are what the group can do (this group part is what you want to look at) and the last three are what the world can do. Make sure new_directory has permissions for the group to read, write and execute (read so you can see things, write so you can add/upload new files to it, and execute so you're able to open the directory (execute behaves a little differently on directories than on regular files)).

Use chmod to change the permissions on a directory or file. You'd type something like

chmod 775 /home/tomcat7/new_directory

The first digit in the number corresponds to what the user can do, the second digit to what the group can do and the third to what the world can do. There's a good explanation of everything you need for this issue here.



回答2:

Here is what works for me on a Debian 7 instance (which is very similar to Ubuntu).

It seems that there is a bug in the /etc/init.d/tomcat7 start script. The man page for start-stop-daemon says that user and group of the daemon process can be set with the -c parameter. Also note that the tomcat7 start script reads in /etc/default/tomcat7, which is where all default settings should be set.

So to run my tomcat process as user app0000, but with group tomcat7 (and not with group app0000 which is the primary group of user app0000) and with setuid 002 permissions so that users in group tomcat7 can delete app0000's files, I have the following settings:

in /etc/passwd:

tomcat7:x:120:65534::/usr/share/tomcat7:/bin/false
app0000:x:2000:2000:app0000:/home/app0000:/bin/bash

in /etc/group:

tomcat7:x:120:
app0000:x:2000:

in /etc/default/tomcat7:

TOMCAT7_USER=app0000
TOMCAT7_GROUP=tomcat7

make logs, temp and work group writeable:

drwxr-xr-x 11 tomcat7 tomcat7  4096 Mar 13 02:40 .
drwxr-x---  6 tomcat7 tomcat7  4096 Mar 29 15:06 ..
drwxr-xr-x  2 tomcat7 tomcat7  4096 Mar 29 15:33 bin
drwxr-xr-x  2 tomcat7 tomcat7  4096 Mar 29 14:30 conf
drwxr-xr-x 25 tomcat7 tomcat7  4096 Mar 29 07:54 confluence
drwxr-xr-x  2 tomcat7 tomcat7  4096 Mar 29 07:54 lib
-rw-r--r--  1 tomcat7 tomcat7 38657 Nov 28  2011 LICENSE
drwxr-xr-x  3 tomcat7 tomcat7  4096 Mar 13 02:40 licenses
drwxrwxr-x  2 tomcat7 tomcat7  4096 Mar 29 15:04 logs
-rw-r--r--  1 tomcat7 tomcat7   574 Nov 28  2011 NOTICE
-rw-r--r--  1 tomcat7 tomcat7  2291 Mar 13 02:40 README.html
-rw-r--r--  1 tomcat7 tomcat7  1212 Mar 13 02:40 README.txt
-rw-r--r--  1 tomcat7 tomcat7  8680 Nov 28  2011 RELEASE-NOTES
-rw-r--r--  1 tomcat7 tomcat7  6836 Nov 28  2011 RUNNING.txt
drwxrwxr-x  2 tomcat7 tomcat7  4096 Mar 29 13:16 temp
drwxr-xr-x  2 tomcat7 tomcat7  4096 Mar 13 02:40 webapps
drwxrwxr-x  3 tomcat7 tomcat7  4096 Mar 29 15:19 work

and finally (I think this is the most important part), fix /etc/init.d/tomcat7:

start-stop-daemon --start -b -u "$TOMCAT7_USER" -g "$TOMCAT7_GROUP" \
            -c "$TOMCAT7_USER:$TOMCAT7_GROUP" -k 002 -d "$CATALINA_TMPDIR" \
            -p "$CATALINA_PID" -x /bin/bash -- -c "$AUTHBIND_COMMAND $TOMCAT_SH"

(originally:)

start-stop-daemon --start -b -u "$TOMCAT7_USER" -g "$TOMCAT7_GROUP" \
            -c "$TOMCAT7_USER" -d "$CATALINA_TMPDIR" \
            -p "$CATALINA_PID" -x /bin/bash -- -c "$AUTHBIND_COMMAND $TOMCAT_SH"