The ASF tomcat team has changed the default UMASK to 0027 to tighten up files permissions for additional security in Tomcat 8.5.0. Tomcat 7 and 8 did not have a umask set in the catalina.sh file. It used the OS user's umask settings.
The changelog here lists the following:
Tighten up the default file permissions for the .tar.gz distribution so no files or directories are world readable by default. Configure Tomcat to run with a default umask of 0027 which may be overridden by setting UMASK in setenv.sh. (markt)
In “catalina.sh” file , the following sets the umask to 0027 -
# Set UMASK unless it has been overridden if [ -z "$UMASK" ]; then UMASK="0027" fi umask $UMASK
Here are some relevant details around file permissions:
- umask is a command that determines the settings of a mask that controls how file permissions are set for newly created files. More info on umask can be read here.
- When the umask is set to 0027, the file permissions will be set to 640. This is preferred for security reasons because this will restrict others not to read/write/execute that file/folder.
- When the umask is set to 0022, the file permissions will be set to 644 and for folders, it will be 755.
- We don't recommend using “root” user to start tcServer. That is unnecessary and can be a security issue.
- If you face permissions issue after upgrading to tcServer 3.2.0 (when using tc Runtime 8.5.x) or higher, you may override the UMASK in setenv.sh. Please be aware of the security implications if you were to change the umask.