I'm setting up Tomcat on Centos according to https://www.digitalocean.com/community/tutorials/how-to-install-apache-tomcat-8-on-centos-7 , but with a twist: I put Tomcat in /opt/apache-tomcat-8.5.6 and then set up a symbolic link:
sudo ln -s /opt/apache-tomcat-8.5.6 /opt/tomcat
The instructions say to change the group ownership of /opt/tomcat to tomcat …
sudo chgrp -R tomcat /opt/tomcat/conf
… then give the tomcat group write access to the configuration directory …
sudo chmod g+rwx /opt/tomcat/conf
… then give the tomcat group read access to all the configuration files …
sudo chmod g+r -R /opt/tomcat/conf
… then make the tomcat user owner of certain directories …
sudo chown -R tomcat /opt/tomcat/logs /opt/tomcat/temp /opt/tomcat/webapps/ /opt/tomcat/work/ /opt/tomcat/temp/ /opt/tomcat/logs/
My question is: why all the complicated setup? Why do we need to give the tomcat group ownership to some directories, the tomcat user owner to others, write access by the group to some files, read access to other files…
Wouldn't it just be easier to make the tomcat user and the tomcat group owner of everything and be done with it?
sudo chown tomcat:tomcat -R /opt/tomcat
I want to use best practices here, so please explain why all the complicated steps are necessary. Thanks in advance.
The key reason for setting up all these permissions is security. The program Tomcat is executed as user 'tomcat' and group 'tomcat'. No real person can login as these users.
Giving the minimal necessary permissions to these kind of users/processes prevents that a rouge or malicious process inside Tomcat can do things to your Linux environment which are not desired.