Shulou(Shulou.com)06/01 Report--

Today, I will talk to you about how Tomcat executes privileged operations with non-root users under Linux. Many people may not know much about it. In order to make you understand better, the editor has summarized the following for you. I hope you can get something according to this article.

The following is an open source project for Apache: a tool called JSVC in Commons Daemon.

Introduction

The official website introduces JSVC like this.

Jsvc is a collection of applications and class libraries for Java applications to run more easily on UNIX. Jsvc allows the application to perform privileged operations like root (such as binding a port less than 1024) and then switching back to an unprivileged user. For Win32, you can use the Cygwin simulator, and then Windows users prefer to use Procrun to run the application as a Windows service.

In this way, with Jsvc, we no longer need to run Tomcat as root in order to use port 80. Let's take a look at how to use Jsvc.

In the CATALINA_HOME/bin directory, there is a file called commons-daemon-native.tar.gz, which we can get Jsvc by compiling it. The compilation command is as follows:

Cd $CATALINA_HOME/bin

Tar xvfz commons-daemon-native.tar.gz

Cd commons-daemon-1.0.x-native-src/unix

. / configure

Make

Cp jsvc.. /..

Cd.. /..

Then when you use Jsvc to execute the following command, Tomcat will run as daemon

. / bin/jsvc\

-classpath $CATALINA_HOME/bin/bootstrap.jar:$CATALINA_HOME/bin/tomcat-juli.jar\

-outfile $CATALINA_BASE/logs/catalina.out\

-errfile $CATALINA_BASE/logs/catalina.err\

-Dcatalina.home=$CATALINA_HOME\

-Dcatalina.base=$CATALINA_BASE\

-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager\

-Djava.util.logging.config.file=$CATALINA_BASE/conf/logging.properties\

Org.apache.catalina.startup.Bootstrap

Of course, Jsvc also has many useful parameters that can be used, such as switching an unprivileged user mentioned earlier, which can be specified by-- user, or-- server parameter if you want the JVM process to run in Server mode. More parameters can be viewed through-- help, which returns a list of all parameters.

One more thing here, if you start Tomcat with-user specified as the root user, you need to disable org.apache.catalina.security.SecurityListener checking, otherwise it will cause the startup to fail. It is through this option that non-root users can use privileged ports as we mentioned earlier. Although you specify an ordinary user, you can still use a privileged port.

Let's move on to the opening topic. In Linux systems, we want to run Tomcat as a service, which can be started automatically when the system starts. We usually create a startup script in the / etc/init.d directory. If you use Jsvc when creating a service, the script Tomcat has been taken into account for us. In the CATALINA_HOME/bin/ directory, there is a daemon.sh script that can be used as a template.

One issue to note when running as daemon is that the commons-daemon.jar must be in the classpath of the Tomcat because there is a dependency declaration on that jar in the MANIFEST.MF of the bootstrap.jar:

Class-Path: commons-daemon.jar

If you encounter an exception such as ClassNotFoundException at run time, just add the jar package to the classpath. That is, the-cp parameter of jsvc can be specified.

After reading the above, do you have any further understanding of how Tomcat performs privileged operations as non-root users under Linux? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.