简体繁体 English

Jetty bash脚本仅适用于root用户

[英]Jetty bash script works only with root user

原文 2013-08-01 16:37:06 0 8 linux/ jetty

I have installed Jetty 9 (latest version) by extracting the archive in /opt/jetty . 我通过解压缩/opt/jetty的存档安装了Jetty 9 （最新版本）。

The start.jar runs fine, but I want the bash service bin/jetty.sh , to be run by a non-root user. start.jar运行正常，但我希望bash服务bin/jetty.sh由非root用户运行。

The issue I'm having with the bash script is that : when I dont specify a value for $JETTY_USER in /etc/default/jetty (it uses root user), Jetty works. 我对bash脚本的问题是：当我没有在/etc/default/jetty指定$JETTY_USER的值（它使用root用户）时， Jetty可以工作。 But when I assign a value to it, Jetty fail with the message: Starting Jetty: FAILED , and no log. 但是当我为它分配一个值时，Jetty会失败并显示以下消息： Starting Jetty: FAILED ，并且没有日志。

So, how do I create a user that can run the jetty? 那么，我如何创建一个可以运行码头的用户呢？

8 个解决方案

I know that this question is old, but since this behaviour bugged me recently as well, here it's my hint. 我知道这个问题已经过时了，但是由于这种行为最近也让我感到困扰，所以这是我的暗示。 In my case it was Jetty 8.x on Centos 6.5, and I had the exact similar behaviour: jetty starting flawlessly when launched on command line both as root and as the newly created jetty user, but failing to start whenever trying to run it as a service and specifying a user through the variable JETTY_USER in /etc/default/jetty. 在我的情况下，它是Centos 6.5上的Jetty 8.x，我有完全类似的行为：jetty在命令行上以root用户身份和新创建的jetty用户启动时完美无缺，但是无论何时尝试运行它都无法启动服务并通过/ etc / default / jetty中的变量JETTY_USER指定用户。 Logs were completely empty. 日志完全是空的。

The trick in my case was that no directory was openly specified for logs in the JETTY_LOGS variable. 我的例子就是没有为JETTY_LOGS变量中的日志公开指定目录。 When run directly as a user, when Jetty can't access a normal directory for logs it will try to create one for the user. 当直接作为用户运行时，当Jetty无法访问日志的正常目录时，它将尝试为用户创建一个。 With the startup script in Centos/RH systems, though, the process is ran by a 'su - -c "command" user' which seems to break that kind of behaviour. 但是，使用Centos / RH系统中的启动脚本，该过程由“su - -c”命令“user”运行，该命令似乎打破了这种行为。 No complain is filed in the logs file, as the process breaks right when trying to access them, and both stdout and stderr are redirected to the logs. 日志文件中没有提交任何抱怨，因为在尝试访问它们时进程中断了，并且stdout和stderr都被重定向到日志。

To debug you exact permissions problem, try running the server through a "su -c" like the script does; 要调试确切的权限问题，请尝试通过脚本执行的“su -c”运行服务器; the difference is that you will finally have your stderr on the console. 区别在于你最终会在控制台上安装你的stderr。 And for the future, also manually create a jetty logs directory with the right permissions, and specify it inside the JETTY_LOGS variable: much less of an headache! 并且在未来，还可以手动创建具有正确权限的jetty日志目录，并在JETTY_LOGS变量中指定它：更不用说了！

I faced the same issue. 我遇到了同样的问题。 In my case I installed Jetty v 9.2.10.v201503 on pcDuino v3, Ubuntu 14.04 following step-by-step installation guidelines “Startup a Unix Service using jetty.sh” (see documentation on eclipse.org). 在我的例子中，我按照逐步安装指南“使用jetty.sh启动Unix服务”在pcDuino v3，Ubuntu 14.04上安装了Jetty v 9.2.10.v201503（参见eclipse.org上的文档）。

Since the steps are run as root, I ended up with mixed ownership (root and jetty) of files and directories in $JETTY_BASE directory. 由于这些步骤是以root身份运行的，因此我最终得到了$ JETTY_BASE目录中文件和目录的混合所有权（root和jetty）。

I added JETTY_LOGS=$JETTY_BASE/logs and JETTY_USER=jetty to the /etc/default/jetty file and reissued chown –R jetty:jetty $JETTY_BASE. 我将JETTY_LOGS = $ JETTY_BASE / logs和JETTY_USER = jetty添加到/ etc / default / jetty文件中，然后重新发出chown -R jetty：jetty $ JETTY_BASE。

After these steps Jetty runs under credentials of jetty user. 在这些步骤之后，Jetty在jetty用户的凭据下运行。 Though it was pretty easy, I hope that this note might be useful for others who are not professional admins. 虽然这很容易，但我希望这个说明可能对那些不是专业管理员的人有用。

Your question seems a little bit mixed up, so it's not 100% clear what outcome you are actually looking for. 你的问题似乎有些混乱，所以你不是100％清楚你实际上在寻找什么结果。

The steps you're taking won't work, and there's very little you can do to make them work, but if you can explain what outcome you're after, then we may offer an alternative. 你正在采取的步骤是行不通的，你可以做的很少，但是如果你可以解释你所追求的结果，那么我们可能会提供另一种选择。

The short answer is: 简短的回答是：

If you set JETTY_USER then jetty.sh has to be run by root. 如果设置JETTY_USER那么jetty.sh必须由root运行。
Depending on your operating system it will either try to start the jetty daemon as JETTY_USER , or su to JETTY_USER , both of which assume you're running as root. 根据您的操作系统，它将尝试将Jetty守护程序作为JETTY_USER启动，或者su作为JETTY_USER ，两者都假设您以root身份运行。

So, that path isn't going to work for you. 所以，这条道路不适合你。

Here's what you can do: 这是你可以做的：

If you simply want to run Jetty as a specific user (eg jetty ) 如果您只是想以特定用户身份运行Jetty （例如jetty ）

don't set JETTY_USER 不要设置JETTY_USER
login in as jetty and run jetty.sh 以jetty身份登录并运行jetty.sh
this requires that your jetty server is running under a non-privileged port (ie not port 80 ) 这要求您的jetty服务器在非特权端口（即不是端口80 ）下运行

If you want to be able to run on port 80 but not run as root 如果您希望能够在端口80上运行但不能以root身份运行

turn on setuid 打开setuid
start jetty.sh as the root user 以root用户身份启动jetty.sh
you might consider hooking it into your operating system's service framework (eg using init.d and service ) 您可以考虑将其挂钩到您的操作系统的服务框架中（例如使用init.d和service ）

If you want all users (or some users) to start jetty, but have it run as 1 specific user 如果您希望所有用户 （或某些用户） 启动 jetty，但让它作为1个特定用户运行

Use one of the above options along with appropriate sudo rules 使用上述选项之一以及相应的sudo规则

Check the ${jetty.home}/logs/start.log (or similarly named log file) 检查${jetty.home}/logs/start.log （或类似命名的日志文件）

That will tell you why it failed. 那会告诉你它失败的原因。

Also, you might want to look into the optional setuid support. 此外，您可能希望查看可选的setuid支持。

http://www.eclipse.org/jetty/documentation/current/setuid.html http://www.eclipse.org/jetty/documentation/current/setuid.html

I faced the same issue; 我遇到了同样的问题; there was a right access problem on the directory /var/run/jetty/ and jetty was trying to write the logs in that directory. 目录/var/run/jetty/上有一个正确的访问问题，并且jetty试图在该目录中写入日志。

A chmod 777 /var/run/jetty/ fixed the issue for me. chmod 777 /var/run/jetty/为我解决了这个问题。

The problem is caused by no write access rights to the JETTY_RUN which by default is set to /var/run which is effectively regenerated and rights reset to root only on every restart (daemon init). 该问题是由JETTY_RUN写访问权限引起的，默认情况下，该JETTY_RUN被设置为/var/run ，只有在每次重启（守护进程初始化）时才会有效地重新生成权限并将权限重置为root。 Actually jetty.sh has JETTY_RUN covered such as: 实际上jetty.sh已经覆盖了JETTY_RUN例如：

..defaults to the first available of /var/run, /usr/var/run, JETTY_BASE and /tmp if not set. ..defaults到第一个可用的/ var / run，/ usr / var / run，JETTY_BASE和/ tmp，如果没有设置。

but that wasn't working in my case. 但这不符合我的情况。 The solution is explicitly setting the JETTY_RUN within /etc/init.d/jetty pointing to the directory which jetty user(group) has write access to (ie /opt/jetty/temp ). 解决方案是在/etc/init.d/jetty明确设置JETTY_RUN ，指向jetty用户（组）具有写访问权限的目录（即/opt/jetty/temp ）。

ps: Debian 8 vs Jetty 9.4 ps：Debian 8 vs Jetty 9.4

Several of the posted answers to this question are correct, and might be needed in combination. 这个问题的几个已发布的答案是正确的，可能需要组合使用。 Also setting JETTY_USER can have some indirect requirements. 设置JETTY_USER也可能有一些间接要求。

Running jetty as a user other than root requires correct permissions allowing that user access to certain files/directories/trees. 以root用户身份运行jetty需要正确的权限，允许该用户访问某些文件/目录/树。 Those filesystem objects include the <jetty-home> tree, and either /var/run/jetty or wherever JETTY_RUN , JETTY_START_LOG and JETTY_LOGS are set to if not left to default to /var/run/jetty . 这些文件系统对象包括<jetty-home>树，以及/var/run/jetty或JETTY_RUN ， JETTY_START_LOG和JETTY_LOGS设置为的地方，如果没有保留为/var/run/jetty默认值。

Running jetty as a user by setting JETTY_USER (eg. JETTY_USER=jetty for running the OS service as non-root) also requires that OS user to have a valid shell (eg. /var/sh ) set in /etc/passwd. 通过设置JETTY_USER （例如JETTY_USER=jetty以便以非root用户身份运行OS服务）作为用户运行jetty也要求OS用户在/ etc / passwd中设置有效的shell（例如/var/sh ）。 A good practice is to set that user to have an invalid shell (eg. /usr/sbin/nologin ), closing the security hole of this service user allowing a login. 一个好的做法是将该用户设置为具有无效的shell（例如/usr/sbin/nologin ），关闭此服务用户的安全漏洞以允许登录。 In that case the jetty startup environment must also set JETTY_SHELL (eg. JETTY_SHELL=/bin/sh ) providing a shell for the nonlogin session in which to execute the jetty executables. 在这种情况下，jetty启动环境还必须设置JETTY_SHELL（例如， JETTY_SHELL=/bin/sh ）， JETTY_SHELL=/bin/sh登录会话提供shell，以执行jetty可执行文件。

These settings can be made in the service startup script (eg. /etc/init.d/jetty where they're commented out by default), but it's a better practice to set them in /etc/default/jetty , leaving the startup script alone because it contains logic and other content better left undisturbed. 这些设置可以在服务启动脚本中进行（例如/etc/init.d/jetty ，默认情况下它们被注释掉），但是在/etc/default/jetty设置它们是更好的做法，离开启动脚本单独，因为它包含逻辑和其他内容更好地保持不受干扰。

Also note that running jetty as root, such as starting it as a service without changing the configured jetty runtime user, will create files (such as logfiles) that are owned by root. 另请注意，以root身份运行jetty（例如将其作为服务启动而不更改已配置的jetty运行时用户）将创建root所拥有的文件（例如日志文件）。 Changing the runtime user to a non-root user can cause jetty to fail because it tries to rewrite as the non-root user a file that is owned by root. 将运行时用户更改为非root用户可能会导致jetty失败，因为它尝试将非root用户重写为root拥有的文件。 For example <jetty-base>/logs/<YYYY>_<MM>_<DD>.jetty.log . 例如<jetty-base>/logs/<YYYY>_<MM>_<DD>.jetty.log 。 Changing the owner of that file to the non-root user, or deleting it, is necessary to solve that problem. 将该文件的所有者更改为非root用户或删除它是解决该问题所必需的。

And note that when jetty fails to start up because of these kinds of problems it will not write to a log (none is accessible, jetty isn't actually running), outputting merely Starting Jetty: FAILED <datetime> . 请注意，当jetty由于这些类型的问题而无法启动时，它将无法写入日志（无法访问，jetty实际上并未运行），仅输出Starting Jetty: FAILED <datetime> 。

您所要做的就是更改/var/run/jetty目录的所有权： sudo chown -R jetty:jetty /var/run/jetty