4.7 Restrict access to Tomcat web application directory

Information

The Tomcat $CATALINA_HOME/webapps directory contains web applications that are deployed through Tomcat. It is recommended that the ownership of this directory be tomcat_admin:tomcat. It is also recommended that the permissions on $CATALINA_HOME/webapps prevent read, write, and execute for the world (o-rwx) and prevent write access to the group (g-w).

Solution

Perform the following to restrict access to Tomcat webapps directory:
1. Set the ownership of the $CATALINA_HOME/webapps to tomcat_admin:tomcat.
2. Remove read, write, and execute permissions for the world.
# chown tomcat_admin:tomcat $CATALINA_HOME/webapps
# chmod g-w,o-rwx $CATALINA_HOME/webapps

See Also

https://workbench.cisecurity.org/files/266

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6

Plugin: Unix

Control ID: 22f0311c25d8392a848555bac4c75afd7acf684096e5b7e1b8cd59bf5be1ff47