4.13 Restrict access to Tomcat tomcat-users.xml

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version


tomcat-users.xml contains authentication information for Tomcat applications. It is recommended that access to this file properly protect from unauthorized changes.


Restricting access to this file will prevent local users from maliciously or inadvertently altering Tomcat's security policy.


Perform the following to restrict access to tomcat-users.xml:

Set the ownership of the $CATALINA_HOME/conf/tomcat-users.xml to tomcat_admin:tomcat.

# chown tomcat_admin:tomcat $CATALINA_HOME/conf/tomcat-users.xml

Set the permissions of the $CATALINA_HOME/conf/tomcat-users.xml to 600

# chmod 600 $CATALINA_HOME/conf/tomcat-users.xml

Default Value:

The default permissions of the top-level directories are 600.

See Also