best practice for access permission to users for apache tomcat

I do it this way:

We put the tomcat user as the owner of the folder of tomcat:

# chown -R tomcat:tomcat /opt/tomcat

Users can not modify the configuration of tomcat:

# chmod -R g+r /opt/tomcat/conf

Users can modify the other folders:

# chmod -R g+w /opt/tomcat/logs
# chmod -R g+w /opt/tomcat/temp
# chmod -R g+w /opt/tomcat/webapps
# chmod -R g+w /opt/tomcat/work

Activate the sticky-bit for new files keep permissions defined:

# chmod -R g+s /opt/tomcat/conf
# chmod -R g+s /opt/tomcat/logs
# chmod -R g+s /opt/tomcat/temp
# chmod -R g+s /opt/tomcat/webapps
# chmod -R g+s /opt/tomcat/work

Finally, we add the tomcat group we want users who can use the tomcat:

# usermod -a -G tomcat MYUSER

The Non-Tomcat settings section of Tomcat's security howto provides useful information on this topic. See here:

  • Tomcat 7: https://tomcat.apache.org/tomcat-7.0-doc/security-howto.html
  • Tomcat 8: https://tomcat.apache.org/tomcat-8.0-doc/security-howto.html
  • Tomcat 9: https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html

Tomcat should not be run under the root user. Create a dedicated user for the Tomcat process and provide that user with the minimum necessary permissions for the operating system. For example, it should not be possible to log on remotely using the Tomcat user.

File permissions should also be suitably restricted. Taking the Tomcat instances at the ASF as an example (where auto-deployment is disabled and web applications are deployed as exploded directories), the standard configuration is to have all Tomcat files owned by root with group Tomcat and whilst owner has read/write privileges, group only has read and world has no permissions. The exceptions are the logs, temp and work directory that are owned by the Tomcat user rather than root. This means that even if an attacker compromises the Tomcat process, they can't change the Tomcat configuration, deploy new web applications or modify existing web applications. The Tomcat process runs with a umask of 007 to maintain these permissions.

Tags:

Linux

Tomcat