best practice for access permission to users for apache tomcat

I have a Linux box being shared by various developers. They want to deploy their war files in apache tomcat which in shared location (/opt/tomcat).

Since they don't have sudo access, I have to change the folder permission for tomcat directory.

directory structure under /opt/tomcat is -








What are the best practices in above situation - Most suitable access permission to user ? For time being, I have changed permission to 777 to webapps and logs.


I do it this way:

We put the tomcat user as the owner of the folder of tomcat:

# chown -R tomcat:tomcat /opt/tomcat

Users can not modify the configuration of tomcat:

# chmod -R g+r /opt/tomcat/conf

Users can modify the other folders:

# chmod -R g+w /opt/tomcat/logs
# chmod -R g+w /opt/tomcat/temp
# chmod -R g+w /opt/tomcat/webapps
# chmod -R g+w /opt/tomcat/work

Activate the sticky-bit for new files keep permissions defined:

# chmod -R g+s /opt/tomcat/conf
# chmod -R g+s /opt/tomcat/logs
# chmod -R g+s /opt/tomcat/temp
# chmod -R g+s /opt/tomcat/webapps
# chmod -R g+s /opt/tomcat/work

Finally, we add the tomcat group we want users who can use the tomcat:

# usermod -a -G tomcat MYUSER

The Non-Tomcat settings section of Tomcat's security howto provides useful information on this topic. See here:

  • Tomcat 7:
  • Tomcat 8:
  • Tomcat 9:

Tomcat should not be run under the root user. Create a dedicated user for the Tomcat process and provide that user with the minimum necessary permissions for the operating system. For example, it should not be possible to log on remotely using the Tomcat user.

File permissions should also be suitably restricted. Taking the Tomcat instances at the ASF as an example (where auto-deployment is disabled and web applications are deployed as exploded directories), the standard configuration is to have all Tomcat files owned by root with group Tomcat and whilst owner has read/write privileges, group only has read and world has no permissions. The exceptions are the logs, temp and work directory that are owned by the Tomcat user rather than root. This means that even if an attacker compromises the Tomcat process, they can't change the Tomcat configuration, deploy new web applications or modify existing web applications. The Tomcat process runs with a umask of 007 to maintain these permissions.

You need to follow the principle of least privilege. The server (probably www-data, but you'll need to check) needs to be able to read most of the files (let's say all) and write in the logs only. The web developers are allowed to write where they need. Set the sticky bit on the directories so that only the owner of a file can delete it.

In practice you need to create a group (for instance webdev) and add all developers and the server to it (usermod -aG webdev <user> or usermod -A webdev <user> depending on your Linux flavor). chown all the files and directory to the webserver user, chmod all directories to 500 and all files to 400 (except in bin where the executables need to be 500 as well).

Grant write permissions on /opt/tomcat to the group (that would be 570) and set the sticky bit so that they can remove only the files they own (chmod 1570). Grant the server write permission to the logs, and read permissions to the developers (0740 for the folder, 0640 for the files, the sticky bit is probably not necessary, and never grant it to a file, only the folders, as it has a different meaning (execute with the permissions of the owner when the file is executable)).

Then you'll need to grant write permissions (1570) to webdev on some of the directories. You'll need some trial and error here, and it could be application dependent. Those folders must be 1570, while some others can be 0500).

The developers will need to grant read access on their files to the group so the server can read them (that's 640), and also execute on the directories (that's 750).

I think @intropedro's accepted answer is a good one. It's worth pointing out that using a package installer can save a lot of headaches -- at least for Tomcat 7 on Ubuntu apt-get install tomcat7 produces a more "standard" set of installation directories are:

  • /etc/tomcat7 for configuration files,
  • /var/lib/tomcat7 for core libraries, and
  • /usr/share/tomcat7 for shared resources.

All permissions are set up correctly with the principle of least privilege, such that adding users to the group tomcat7 is sufficient to allow deployment. Further, the tomcat server is set up as a service that can be started and stopped as others (e.g. sudo service tomcat start or alternatively /etc/init.d/tomcat start). Tomcat starts on reboot automatically, and there's a "restart" command. I am sure there's an equivalent yum package for RHEL/CentOS users. (And yes, there's a homebrew installer for local OSX installations).

If you're having problems, there's a nice utility in /usr/share/bin called that reports if there are permissions or other errors. Note, there's an open bug that suggests adding some symbolic links.

We're still running Ubuntu trusty (14.04); for those running more recent versions I believe there's a Tomcat 8 apt-get repo.