1. 创建专用Tomcat用户和组
避免使用root用户运行Tomcat,降低安全风险。执行以下命令创建tomcat组和用户(用户主目录设为/opt/tomcat,shell设为/bin/false禁止登录):
sudo groupadd tomcat
sudo useradd -m -U -d /opt/tomcat -s /bin/false tomcat
2. 下载并解压Tomcat到指定目录
从Apache官网下载最新稳定版Tomcat(如9.0.x),解压至/opt目录并重命名:
cd /tmp
wget https://downloads.apache.org/tomcat/tomcat-9/v9.0.76/bin/apache-tomcat-9.0.76.tar.gz
sudo tar -zxvf apache-tomcat-9.0.76.tar.gz -C /opt/
sudo mv /opt/apache-tomcat-9.0.76 /opt/tomcat
3. 设置Tomcat目录权限
/opt/tomcat及其子目录的所有权赋予tomcat用户和组,确保Tomcat进程有权访问:sudo chown -R tomcat:tomcat /opt/tomcat
bin/*.sh):需可执行权限,用于启动/停止Tomcat:sudo chmod -R 755 /opt/tomcat/bin/*.sh
conf/):仅tomcat组可读,防止敏感信息泄露:sudo chmod -R 750 /opt/tomcat/conf
logs/):tomcat用户可写,用于记录运行日志:sudo chmod -R 770 /opt/tomcat/logs
webapps/):tomcat组可访问,部署的应用需能读取资源:sudo chmod -R 755 /opt/tomcat/webapps
temp/)、工作目录(work/):tomcat用户可写,用于存放临时数据:sudo chown -R tomcat:tomcat /opt/tomcat/temp /opt/tomcat/work
sudo chmod -R 750 /opt/tomcat/temp /opt/tomcat/work
4. 创建systemd服务文件
通过systemd管理Tomcat服务,确保以tomcat用户身份运行。创建/etc/systemd/system/tomcat.service文件,内容如下:
[Unit]
Description=Apache Tomcat Web Application Container
After=network.target
[Service]
Type=forking
User=tomcat
Group=tomcat
Environment="JAVA_HOME=/usr/lib/jvm/default-java"
Environment="CATALINA_PID=/opt/tomcat/temp/tomcat.pid"
Environment="CATALINA_HOME=/opt/tomcat"
Environment="CATALINA_BASE=/opt/tomcat"
Environment="CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC"
Environment="JAVA_OPTS=-Djava.security.egd=file:/dev/./urandom"
ExecStart=/opt/tomcat/bin/startup.sh
ExecStop=/opt/tomcat/bin/shutdown.sh
RestartSec=10
Restart=always
[Install]
WantedBy=multi-user.target
关键参数说明:
User/Group:指定运行Tomcat的用户和组;CATALINA_OPTS:JVM内存和GC配置;JAVA_OPTS:随机数生成器优化(避免启动延迟)。5. 重新加载systemd并启动Tomcat
sudo systemctl daemon-reload # 重新加载systemd配置
sudo systemctl start tomcat # 启动Tomcat服务
sudo systemctl enable tomcat # 设置开机自启
6. 验证权限设置
ps aux | grep tomcat
tomcat用户运行进程。http://服务器IP:8080,若看到Tomcat默认页面,说明权限设置成功。