I'm not sure it's a good change. When I worked on tomcat6 packaging, I changed the permissions used in tomcat5.5 on purpose.
/etc/tomcat6: This was set to root:root 644, with two exceptions: - tomcat-users.xml that needs to be read by tomcat and hidden to users, so it is root:tomcat6 640 - Catalina directory that should allow autodeploy of new contexts by tomcat, so it is root:tomcat6 775 The idea behind this was to specifically *exclude* the tomcat6 user from messing with key configuration files like server.xml or tomcat-users.xml, and it is a security measure against any traversal by the tomcat6 user. Your argument is that "you need to be root to configure Tomcat". Well, this mimics what is done for every other daemon out there: allow root to configure it, and do not allow the user the daemon is run under to modify its own configuration. See /etc/apache2 for an example of this. /var/lib/tomcat6/webapps: This was set to 775 root:tomcat6 so that tomcat can autodeploy applications. Additionally, members of the tomcat6 group are also allowed to deploy applications. Changing that to tomcat6:adm just transfers that capability from the "tomcat6" group to the "adm" group. Looks like we lose some granularity, and I fail to see why adding users to the tomcat6 group "does not look like a good idea". But I can live with that :) -- Thierry Carrez -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
