www.bonsaiframework.com
Page tree

Versions Compared

Old Version 163

changes.mady.by.user Tin Pham

Saved on

compared with

New Version 164

changes.mady.by.user Tin Pham

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Bug fix to instructions to setup the setgid of directory. Now all new files created will belong to the correct group.

...

Gliffy Diagram
borderfalse
nameMultiple Tomcat Instances
pagePin10

Shortcut

Everything is all packaged up at http://www.bonsaiframework.com/downloads/0fs-tomcat-linux/,

...

Code Block
languagebash
wget http://www.bonsaiframework.com/downloads/0fs-tomcat-linux/0fs-tomcat.tar.gz # this symbolically points to the latest 64-bit version

# NOTE - to work properly ensure serveradmin is setup per Bonsai instructions!
#

sudo tar -xvpf 0fs-tomcat.tar.gz # sudo will ensure the permissions and users are kept
sudo mv /0fs-tomcat/ /opt/


# Optionally if you want to follow the Bonsaiframework convention and also let users belonging to "staff" group to view files and restrict others,
cd /opt/
sudo chown -R serveradmin:staff ./0fs-tomcat/
sudo chmod -R o-rwx ./0fs-tomcat/
sudo chown -R serveradmin.staff ./0fs-tomcat/

You are now ready to go and start Tomcat as serveradmin,

...

Code Block
languagebash
cd /home/serveradmin
sudo mv ./0fs-tomcat/ /opt/apache/

Only Allow serveradmin to Run Tomcat

Setting up and running Tomcat with serveradmin has the advantage that you can manage the Application server without having to go into root. It's also makes things much safer if somebody breaks into Tomcat.

We want to ensure that only serveradmin starts Tomcat to prevent any issues with permissions. For example, once you start Tomcat as root you may find log files spawned from during startup can no longer be managed by serveradmin. Also, running Tomcat as serveradmin rather than root is safer from a security standpoint.

First login as serveradmin. All modification to Tomcat and running of tomcat will happen as serveradmin.

...

Using this method, you can have different Tomcat instances running different versions of Java and control when you want to move between Java versions.

Secure Directory

Finally, because this is a multi-user machine, we secure tomcat from other users and processes. The only users should be serveradmin for read and write and staff for read to debug. All others should not even be able to go into the directory.

Change the permissions,

Code Block
languagebash
cd /opt/
sudo chown -R serveradmin:staff ./0fs-tomcat/ # Only serveradmin and staff can manage files.
sudo chmod o-xrwx ./0fs-tomcat/bin/* # Remove execute"other" permission from "other".getting any access.
sudo chown -R serveradmin.staff # Ensure new files created follow the Directory's setgid.

However, this is not enough. Any new files created in those directories will change to what the particular user has set in terms of that user's groups. This also includes the process user serveradmin. The log files created when the process starts will belong to serveradmin user and serveradmin group - which we don't want. So to fix this we tell the directory to set the setgid bit,

Code Block
languagebash
cd /opt/
sudo chown -R serveradmin.staff # Ensure new files created follow the Directory's setgid.

Verify Process is Running

...