tomcat-users.xml contains authentication information for Tomcat applications. It is recommended that access to this file properly protect from unauthorized changes. Rationale: Restricting access to this file will prevent local users from maliciously or inadvertently altering Tomcat's security policy.
Solution
Perform the following to restrict access to tomcat-users.xml: Set the ownership of the $CATALINA_HOME/conf/tomcat-users.xml to tomcat_admin:tomcat. # chown tomcat_admin:tomcat $CATALINA_HOME/conf/tomcat-users.xml Set the permissions of the $CATALINA_HOME/conf/tomcat-users.xml to 600 # chmod 600 $CATALINA_HOME/conf/tomcat-users.xml Default Value: The default permissions of the top-level directories are 600.