4.2 Restrict access to $CATALINA_BASE

Information

$CATALINA_BASE is the environment variable that specifies the base directory from which most relative paths are resolved. $CATALINA_BASE is usually used when there are multiple instances of Tomcat running. It is important to limit access to this in order to protect the Tomcat-related binaries and libraries from unauthorized modification. It is recommended that the ownership of $CATALINA_BASE be tomcat_admin:tomcat. It is also recommended that the permission on $CATALINA_BASE deny read, write, and execute for the world (o-rwx) and prevent write deny to the group (g-w).

Rationale:

The security of processes and data which traverse or depend on Tomcat may become compromised if the $CATALINA_BASE is not secured.

Solution

Perform the following to establish the recommended state:

Set the ownership of the $CATALINA_BASE to tomcat_admin:tomcat.

# chown tomcat_admin.tomcat $CATALINA_BASE

Remove write permissions for the group and read, write, and execute permissions for the world

# chmod g-w,o-rwx $CATALINA_BASE

See Also

https://workbench.cisecurity.org/files/2506