Set up 'tomcat' non-root user in Tomcat 8 Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 23, 2019 at 00:00UTC (8:00pm US/Eastern) Come Celebrate our 10 Year Anniversary!Installing Tomcat on CentOS 5Tomcat does not recognize the MySQL .jar libraryCron shell script to restart TomcatStart & shutdown as tomcat as non-root userservice tomcat statusVMware ESXi 4.1: how to create a new user with root permissionsInstall Java EE 6 on CentOS 6Controlling tomcat with supervisortomcat works but service tomcat status says it failedsystemctl stops Tomcat service immediately after start
Do wooden building fires get hotter than 600°C?
How to compare two different files line by line in unix?
How does light 'choose' between wave and particle behaviour?
How fail-safe is nr as stop bytes?
What is the topology associated with the algebras for the ultrafilter monad?
NumericArray versus PackedArray in MMA12
Question about debouncing - delay of state change
Illegal assignment from sObject to Id
Effects on objects due to a brief relocation of massive amounts of mass
Why should I vote and accept answers?
Is there any word for a place full of confusion?
Is it fair for a professor to grade us on the possession of past papers?
What initially awakened the Balrog?
How do I use the new nonlinear finite element in Mathematica 12 for this equation?
Chinese Seal on silk painting - what does it mean?
Do I really need to have a message in a novel to appeal to readers?
Why do we need to use the builder design pattern when we can do the same thing with setters?
How to react to hostile behavior from a senior developer?
As a beginner, should I get a Squier Strat with a SSS config or a HSS?
Find 108 by using 3,4,6
Why is Nikon 1.4g better when Nikon 1.8g is sharper?
How come Sam didn't become Lord of Horn Hill?
If Windows 7 doesn't support WSL, then what does Linux subsystem option mean?
Putting class ranking in CV, but against dept guidelines
Set up 'tomcat' non-root user in Tomcat 8
Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 23, 2019 at 00:00UTC (8:00pm US/Eastern)
Come Celebrate our 10 Year Anniversary!Installing Tomcat on CentOS 5Tomcat does not recognize the MySQL .jar libraryCron shell script to restart TomcatStart & shutdown as tomcat as non-root userservice tomcat statusVMware ESXi 4.1: how to create a new user with root permissionsInstall Java EE 6 on CentOS 6Controlling tomcat with supervisortomcat works but service tomcat status says it failedsystemctl stops Tomcat service immediately after start
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I've installed Tomcat 8 in Debian 8 and I need to harden the web server.
I'm following the official Tomcat documentation guide and in the security considerations section recommends to create another user (named tomcat) and kick-off Tomcat process with that user:
Tomcat should not be run under the root user. Create a dedicated user
for the Tomcat process and provide that user with the minimum
necessary permissions for the operating system. For example, it should
not be possible to log on remotely using the Tomcat user.
I've created tomcat user and group as the guide suggests.
I've created the /etc/systemd/system/tomcat.service file
with the following configuration:
[Unit]
Description=Apache Tomcat Web Application Container
After=network.target
[Service]
Type=forking
#ExecStart=/opt/tomcat/bin/startup.sh
ExecStart=/usr/share/tomcat8/bin/startup.sh
#ExecStop=/opt/tomcat/bin/shutdown.sh
ExecStart=/usr/share/tomcat8/bin/shutdown.sh
User=tomcat
Group=tomcat
[Install]
WantedBy=multi-user.target
I made a soflink to:
root@pc:/lib/systemd/system# ln -s tomcat.service /etc/systemd/system/tomcat.service
I enabled the service in systemd:
root@pc:/lib/systemd/system# systemctl enable tomcat.service
Created symlink from /etc/systemd/system/multi-user.target.wants/tomcat.service to /lib/systemd/system/tomcat.service.
Now when I checked if the tomcat process was running, I couldn't find tomcat user as the owner of the process:.
tomcat@labnet:/lib/systemd/system$ ps -aux | grep tomcat
tomcat8 18116 1.2 8.0 1662560 325140 ? Sl 10:30 1:04 /usr/lib/jvm/default-java/bin/java -Djava.util.logging.config.file=/var/lib/tomcat8/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.awt.headless=true -Xmx128m -XX:+UseConcMarkSweepGC -Djava.endorsed.dirs=/usr/share/tomcat8/endorsed -classpath /usr/share/tomcat8/bin/bootstrap.jar:/usr/share/tomcat8/bin/tomcat-juli.jar -Dcatalina.base=/var/lib/tomcat8 -Dcatalina.home=/usr/share/tomcat8 -Djava.io.tmpdir=/tmp/tomcat8-tomcat8-tmp org.apache.catalina.startup.Bootstrap start
There is another user called tomcat8.
Using top:
tomcat@pc:/lib/systemd/system$ top
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
18116 tomcat8 20 0 1662560 325140 21068 S 0,3 8,0 1:04.29 java
I've checked on /etc/groups, etc/passwd and both users are present:
tomcat@pc:/lib/systemd/system$ grep tomcat /etc/group
tomcat8:x:114:
tomcat:x:1005:tomcat
root@pc:/etc/tomcat8# grep tomcat /etc/passwd
tomcat8:x:108:114::/usr/share/tomcat8:/bin/false
tomcat:x:1005:1005:tomcat,,,:/home/tomcat:/bin/bash
What should I change in order to use tomcat user instead? My guess is that it could be the new user used by default in this version to run Tomcat process.
tomcat java user-accounts user-permissions
edited Jul 7 '15 at 19:09
030
3,80964189
asked Jul 7 '15 at 17:26
Rafa MoyanoRafa Moyano
64
add a comment |
I've installed Tomcat 8 in Debian 8 and I need to harden the web server.
I'm following the official Tomcat documentation guide and in the security considerations section recommends to create another user (named tomcat) and kick-off Tomcat process with that user:
Tomcat should not be run under the root user. Create a dedicated user
for the Tomcat process and provide that user with the minimum
necessary permissions for the operating system. For example, it should
not be possible to log on remotely using the Tomcat user.
I've created tomcat user and group as the guide suggests.
I've created the /etc/systemd/system/tomcat.service file
with the following configuration:
[Unit]
Description=Apache Tomcat Web Application Container
After=network.target
[Service]
Type=forking
#ExecStart=/opt/tomcat/bin/startup.sh
ExecStart=/usr/share/tomcat8/bin/startup.sh
#ExecStop=/opt/tomcat/bin/shutdown.sh
ExecStart=/usr/share/tomcat8/bin/shutdown.sh
User=tomcat
Group=tomcat
[Install]
WantedBy=multi-user.target
I made a soflink to:
root@pc:/lib/systemd/system# ln -s tomcat.service /etc/systemd/system/tomcat.service
I enabled the service in systemd:
root@pc:/lib/systemd/system# systemctl enable tomcat.service
Created symlink from /etc/systemd/system/multi-user.target.wants/tomcat.service to /lib/systemd/system/tomcat.service.
Now when I checked if the tomcat process was running, I couldn't find tomcat user as the owner of the process:.
tomcat@labnet:/lib/systemd/system$ ps -aux | grep tomcat
tomcat8 18116 1.2 8.0 1662560 325140 ? Sl 10:30 1:04 /usr/lib/jvm/default-java/bin/java -Djava.util.logging.config.file=/var/lib/tomcat8/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.awt.headless=true -Xmx128m -XX:+UseConcMarkSweepGC -Djava.endorsed.dirs=/usr/share/tomcat8/endorsed -classpath /usr/share/tomcat8/bin/bootstrap.jar:/usr/share/tomcat8/bin/tomcat-juli.jar -Dcatalina.base=/var/lib/tomcat8 -Dcatalina.home=/usr/share/tomcat8 -Djava.io.tmpdir=/tmp/tomcat8-tomcat8-tmp org.apache.catalina.startup.Bootstrap start
There is another user called tomcat8.
Using top:
tomcat@pc:/lib/systemd/system$ top
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
18116 tomcat8 20 0 1662560 325140 21068 S 0,3 8,0 1:04.29 java
I've checked on /etc/groups, etc/passwd and both users are present:
tomcat@pc:/lib/systemd/system$ grep tomcat /etc/group
tomcat8:x:114:
tomcat:x:1005:tomcat
root@pc:/etc/tomcat8# grep tomcat /etc/passwd
tomcat8:x:108:114::/usr/share/tomcat8:/bin/false
tomcat:x:1005:1005:tomcat,,,:/home/tomcat:/bin/bash
What should I change in order to use tomcat user instead? My guess is that it could be the new user used by default in this version to run Tomcat process.
tomcat java user-accounts user-permissions
edited Jul 7 '15 at 19:09
030
3,80964189
asked Jul 7 '15 at 17:26
Rafa MoyanoRafa Moyano
64
add a comment |
I've installed Tomcat 8 in Debian 8 and I need to harden the web server.
I'm following the official Tomcat documentation guide and in the security considerations section recommends to create another user (named tomcat) and kick-off Tomcat process with that user:
Tomcat should not be run under the root user. Create a dedicated user
for the Tomcat process and provide that user with the minimum
necessary permissions for the operating system. For example, it should
not be possible to log on remotely using the Tomcat user.
I've created tomcat user and group as the guide suggests.
I've created the /etc/systemd/system/tomcat.service file
with the following configuration:
[Unit]
Description=Apache Tomcat Web Application Container
After=network.target
[Service]
Type=forking
#ExecStart=/opt/tomcat/bin/startup.sh
ExecStart=/usr/share/tomcat8/bin/startup.sh
#ExecStop=/opt/tomcat/bin/shutdown.sh
ExecStart=/usr/share/tomcat8/bin/shutdown.sh
User=tomcat
Group=tomcat
[Install]
WantedBy=multi-user.target
I made a soflink to:
root@pc:/lib/systemd/system# ln -s tomcat.service /etc/systemd/system/tomcat.service
I enabled the service in systemd:
root@pc:/lib/systemd/system# systemctl enable tomcat.service
Created symlink from /etc/systemd/system/multi-user.target.wants/tomcat.service to /lib/systemd/system/tomcat.service.
Now when I checked if the tomcat process was running, I couldn't find tomcat user as the owner of the process:.
tomcat@labnet:/lib/systemd/system$ ps -aux | grep tomcat
tomcat8 18116 1.2 8.0 1662560 325140 ? Sl 10:30 1:04 /usr/lib/jvm/default-java/bin/java -Djava.util.logging.config.file=/var/lib/tomcat8/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.awt.headless=true -Xmx128m -XX:+UseConcMarkSweepGC -Djava.endorsed.dirs=/usr/share/tomcat8/endorsed -classpath /usr/share/tomcat8/bin/bootstrap.jar:/usr/share/tomcat8/bin/tomcat-juli.jar -Dcatalina.base=/var/lib/tomcat8 -Dcatalina.home=/usr/share/tomcat8 -Djava.io.tmpdir=/tmp/tomcat8-tomcat8-tmp org.apache.catalina.startup.Bootstrap start
There is another user called tomcat8.
Using top:
tomcat@pc:/lib/systemd/system$ top
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
18116 tomcat8 20 0 1662560 325140 21068 S 0,3 8,0 1:04.29 java
I've checked on /etc/groups, etc/passwd and both users are present:
tomcat@pc:/lib/systemd/system$ grep tomcat /etc/group
tomcat8:x:114:
tomcat:x:1005:tomcat
root@pc:/etc/tomcat8# grep tomcat /etc/passwd
tomcat8:x:108:114::/usr/share/tomcat8:/bin/false
tomcat:x:1005:1005:tomcat,,,:/home/tomcat:/bin/bash
What should I change in order to use tomcat user instead? My guess is that it could be the new user used by default in this version to run Tomcat process.
tomcat java user-accounts user-permissions
edited Jul 7 '15 at 19:09
030
3,80964189
asked Jul 7 '15 at 17:26
Rafa MoyanoRafa Moyano
64
I've installed Tomcat 8 in Debian 8 and I need to harden the web server.
I'm following the official Tomcat documentation guide and in the security considerations section recommends to create another user (named tomcat) and kick-off Tomcat process with that user:
Tomcat should not be run under the root user. Create a dedicated user
for the Tomcat process and provide that user with the minimum
necessary permissions for the operating system. For example, it should
not be possible to log on remotely using the Tomcat user.
I've created tomcat user and group as the guide suggests.
I've created the /etc/systemd/system/tomcat.service file
with the following configuration:
[Unit]
Description=Apache Tomcat Web Application Container
After=network.target
[Service]
Type=forking
#ExecStart=/opt/tomcat/bin/startup.sh
ExecStart=/usr/share/tomcat8/bin/startup.sh
#ExecStop=/opt/tomcat/bin/shutdown.sh
ExecStart=/usr/share/tomcat8/bin/shutdown.sh
User=tomcat
Group=tomcat
[Install]
WantedBy=multi-user.target
I made a soflink to:
root@pc:/lib/systemd/system# ln -s tomcat.service /etc/systemd/system/tomcat.service
I enabled the service in systemd:
root@pc:/lib/systemd/system# systemctl enable tomcat.service
Created symlink from /etc/systemd/system/multi-user.target.wants/tomcat.service to /lib/systemd/system/tomcat.service.
Now when I checked if the tomcat process was running, I couldn't find tomcat user as the owner of the process:.
tomcat@labnet:/lib/systemd/system$ ps -aux | grep tomcat
tomcat8 18116 1.2 8.0 1662560 325140 ? Sl 10:30 1:04 /usr/lib/jvm/default-java/bin/java -Djava.util.logging.config.file=/var/lib/tomcat8/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.awt.headless=true -Xmx128m -XX:+UseConcMarkSweepGC -Djava.endorsed.dirs=/usr/share/tomcat8/endorsed -classpath /usr/share/tomcat8/bin/bootstrap.jar:/usr/share/tomcat8/bin/tomcat-juli.jar -Dcatalina.base=/var/lib/tomcat8 -Dcatalina.home=/usr/share/tomcat8 -Djava.io.tmpdir=/tmp/tomcat8-tomcat8-tmp org.apache.catalina.startup.Bootstrap start
There is another user called tomcat8.
Using top:
tomcat@pc:/lib/systemd/system$ top
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
18116 tomcat8 20 0 1662560 325140 21068 S 0,3 8,0 1:04.29 java
I've checked on /etc/groups, etc/passwd and both users are present:
tomcat@pc:/lib/systemd/system$ grep tomcat /etc/group
tomcat8:x:114:
tomcat:x:1005:tomcat
root@pc:/etc/tomcat8# grep tomcat /etc/passwd
tomcat8:x:108:114::/usr/share/tomcat8:/bin/false
tomcat:x:1005:1005:tomcat,,,:/home/tomcat:/bin/bash
What should I change in order to use tomcat user instead? My guess is that it could be the new user used by default in this version to run Tomcat process.
tomcat java user-accounts user-permissions
tomcat java user-accounts user-permissions
edited Jul 7 '15 at 19:09
030
3,80964189
asked Jul 7 '15 at 17:26
Rafa MoyanoRafa Moyano
64
edited Jul 7 '15 at 19:09
030
3,80964189
asked Jul 7 '15 at 17:26
Rafa MoyanoRafa Moyano
64
edited Jul 7 '15 at 19:09
030
3,80964189
edited Jul 7 '15 at 19:09
030
3,80964189
edited Jul 7 '15 at 19:09
030
3,80964189
3,80964189
asked Jul 7 '15 at 17:26
Rafa MoyanoRafa Moyano
64
asked Jul 7 '15 at 17:26
Rafa MoyanoRafa Moyano
64
asked Jul 7 '15 at 17:26
Rafa MoyanoRafa Moyano
64
64
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
You need to run systemctl daemon-reload before systemd will become aware of your new Tomcat service.
answered Jun 13 '16 at 23:32
mr.zogmr.zog
3941923
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f704143%2fset-up-tomcat-non-root-user-in-tomcat-8%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
You need to run systemctl daemon-reload before systemd will become aware of your new Tomcat service.
answered Jun 13 '16 at 23:32
mr.zogmr.zog
3941923
add a comment |
You need to run systemctl daemon-reload before systemd will become aware of your new Tomcat service.
answered Jun 13 '16 at 23:32
mr.zogmr.zog
3941923
add a comment |
You need to run systemctl daemon-reload before systemd will become aware of your new Tomcat service.
answered Jun 13 '16 at 23:32
mr.zogmr.zog
3941923
You need to run systemctl daemon-reload before systemd will become aware of your new Tomcat service.
answered Jun 13 '16 at 23:32
mr.zogmr.zog
3941923
answered Jun 13 '16 at 23:32
mr.zogmr.zog
3941923
answered Jun 13 '16 at 23:32
mr.zogmr.zog
3941923
answered Jun 13 '16 at 23:32
mr.zogmr.zog
3941923
3941923
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f704143%2fset-up-tomcat-non-root-user-in-tomcat-8%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
