The Tomcat Security Considerations document makes several recommendations for hardening a Tomcat installation:
-
Tomcat should not be run as the
rootuser; it should be run as a dedicated user (usually namedtomcat) that has minimum operating system permissions. It should not be possible to log in remotely as thetomcatuser. -
All Tomcat files should be owned by user
rootand grouptomcat(thetomcatuser’s default group should be grouptomcat). File/directory permissions should be set to owner read/write, group read only, and world none. The exceptions are thelogs,temp, andworkdirectories, which should be owned by thetomcatuser instead ofroot. -
The default and example web applications included with the Tomcat distribution should be removed if they are not needed.
-
Auto-deployment should be disabled, and web applications should be deployed as exploded directories rather than web application archives (WAR files).
Implementing these recommendations means that, even if an attacker compromises the Tomcat process, he or she cannot change the Tomcat configuration, deploy new web applications, or modify existing web applications.
All of the steps in this section should be performed on the master build server (casdev-master); the results will be copied to the CAS servers (casdev-srv01, casdev-srv02, and casdev-srv03) later.
Create a tomcat user and tomcat group
Run the commands
casdev-master# groupadd -r tomcat
casdev-master# useradd -r -d /opt/tomcat -g tomcat -s /sbin/nologin tomcat
to create a tomcat user and a tomcat group.
Set file ownership and permissions
Run the commands
casdev-master# mkdir -p /opt/tomcat/latest/conf/Catalina/localhost
casdev-master# for dir in . conf webapps
> do
> cd /opt/tomcat/latest/$dir
> chown -R root.tomcat .
> chmod -R u+rwX,g+rX,o= .
> chmod -R g-w .
> done
casdev-master# for dir in logs temp work
> do
> cd /opt/tomcat/latest/$dir
> chown -R tomcat.tomcat .
> chmod -R u+rwX,g+rX,o= .
> chmod -R g-w .
> done
casdev-master#
to set the proper file ownerships and permissions. Note that, as discussed above, some of the directories are owned by root, while others are owned by tomcat.
Remove example webapps
Run the commands
casdev-master# cd /opt/tomcat/latest
casdev-master# rm -rf temp/* work/*
casdev-master# cd webapps
casdev-master# rm -rf docs examples host-manager manager
to remove unneeded example web applications.
ROOT web application from the webapps directory because it can be useful in a development/test environment to quickly determine whether Tomcat is working properly. However, when deploying Tomcat to production servers, the ROOT application should be removed along with the rest of the default web applications.Disable auto-deployment
To disable auto-deployment, edit the file /opt/tomcat/latest/conf/server.xml and locate the Host XML tag (around line 148), which should look something like this:
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
Disable application auto-deployment and unpacking of web application archive files by setting these attributes to false:
<Host name="localhost" appBase="webapps"
unpackWARs="false" autoDeploy="false">