4.10 Restrict access to Tomcat context.xml

Information

The context.xml file is loaded by all web applications and sets certain configuration options. It is recommended that access to this file properly protect from unauthorized changes.

Rationale:

Restricting access to this file will prevent local users from maliciously or inadvertently altering Tomcat's security policy.

Solution

Perform the following to restrict access to context.xml:

Set the ownership of the $CATALINA_HOME/conf/context.xml to tomcat_admin:tomcat.

# chown tomcat_admin:tomcat $CATALINA_HOME/conf/context.xml

Set the permissions for the $CATALINA_HOME/conf/context.xml to 600.

# chmod 600 $CATALINA_HOME/conf/context.xml

Default Value:

The default permissions of context.xml are 600.

See Also

https://workbench.cisecurity.org/files/2506