4.2 Restrict access to $CATALINA_BASE


$CATALINA_BASE is the environment variable that specifies the base directory from which most relative paths are resolved. $CATALINA_BASE is usually used when there are multiple instances of Tomcat running. It is important to limit access to this in order to protect the Tomcat-related binaries and libraries from unauthorized modification. It is recommended that the ownership of $CATALINA_BASE be tomcat_admin:tomcat. It is also recommended that the permission on $CATALINA_BASE deny read, write, and execute for the world (o-rwx) and prevent write deny to the group (g-w).


The security of processes and data which traverse or depend on Tomcat may become compromised if the $CATALINA_BASE is not secured.


Perform the following to establish the recommended state:

Set the ownership of the $CATALINA_BASE to tomcat_admin:tomcat.

# chown tomcat_admin.tomcat $CATALINA_BASE

Remove write permissions for the group and read, write, and execute permissions for the world

# chmod g-w,o-rwx $CATALINA_BASE

See Also


Item Details


References: 800-53|AC-3, CSCv6|3.1, CSCv7|14.6

Plugin: Unix

Control ID: d019dc71f4bd2aa8cb4603096438b865455c4d0225879f22ef56f265e67feac5