Tomcat – Set up ‘tomcat’ non-root user in Tomcat 8

javatomcatuser-accountsuser-permissions

I've installed Tomcat 8 in Debian 8 and I need to harden the web server.

I'm following the official Tomcat documentation guide and in the security considerations section recommends to create another user (named tomcat) and kick-off Tomcat process with that user:

Tomcat should not be run under the root user. Create a dedicated user
for the Tomcat process and provide that user with the minimum
necessary permissions for the operating system. For example, it should
not be possible to log on remotely using the Tomcat user.

I've created tomcat user and group as the guide suggests.
I've created the /etc/systemd/system/tomcat.service file
with the following configuration:

[Unit]
Description=Apache Tomcat Web Application Container
After=network.target

[Service]
Type=forking
#ExecStart=/opt/tomcat/bin/startup.sh
ExecStart=/usr/share/tomcat8/bin/startup.sh
#ExecStop=/opt/tomcat/bin/shutdown.sh
ExecStart=/usr/share/tomcat8/bin/shutdown.sh
User=tomcat
Group=tomcat

[Install]
WantedBy=multi-user.target

I made a soflink to: 

root@pc:/lib/systemd/system# ln -s tomcat.service /etc/systemd/system/tomcat.service

I enabled the service in systemd:

root@pc:/lib/systemd/system# systemctl enable tomcat.service
Created symlink from /etc/systemd/system/multi-user.target.wants/tomcat.service to /lib/systemd/system/tomcat.service.

Now when I checked if the tomcat process was running, I couldn't find tomcat user as the owner of the process:. 

tomcat@labnet:/lib/systemd/system$ ps -aux | grep tomcat
tomcat8  18116  1.2  8.0 1662560 325140 ?      Sl   10:30   1:04 /usr/lib/jvm/default-java/bin/java -Djava.util.logging.config.file=/var/lib/tomcat8/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.awt.headless=true -Xmx128m -XX:+UseConcMarkSweepGC -Djava.endorsed.dirs=/usr/share/tomcat8/endorsed -classpath /usr/share/tomcat8/bin/bootstrap.jar:/usr/share/tomcat8/bin/tomcat-juli.jar -Dcatalina.base=/var/lib/tomcat8 -Dcatalina.home=/usr/share/tomcat8 -Djava.io.tmpdir=/tmp/tomcat8-tomcat8-tmp org.apache.catalina.startup.Bootstrap start

There is another user called tomcat8.

Using top:

tomcat@pc:/lib/systemd/system$ top
PID   USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM   TIME+   COMMAND
18116 tomcat8   20   0 1662560 325140  21068 S   0,3  8,0   1:04.29 java

I've checked on /etc/groups, etc/passwd and both users are present:

tomcat@pc:/lib/systemd/system$ grep tomcat /etc/group
tomcat8:x:114:
tomcat:x:1005:tomcat

root@pc:/etc/tomcat8# grep tomcat /etc/passwd
tomcat8:x:108:114::/usr/share/tomcat8:/bin/false
tomcat:x:1005:1005:tomcat,,,:/home/tomcat:/bin/bash

What should I change in order to use tomcat user instead? My guess is that it could be the new user used by default in this version to run Tomcat process.

Best Answer

You need to run systemctl daemon-reload before systemd will become aware of your new Tomcat service.

Related Topic