The following extract from Apache Tomcat 8 (8.5.37) Security Considerations:
https://tomcat.apache.org/tomcat-8.5-doc/security-howto.html
File permissions should also be suitably restricted. In the .tar.gz distribution, files and directories are not world readable and the group does not have write access.
On Unix like operating systems, Tomcat runs with a default umask of 0027 to maintain these permissions for files created while Tomcat is running (e.g. log files, expanded WARs, etc.).
In
$DLC\servers\pasoe\bin\catalina.sh:
# UMASK (Optional) Override Tomcat's default UMASK of 0027
To override the default umask for Tomcat log files either:
- Create a file in the CATALINA_HOME\bin, (the bin folder of the PASOE instance) named <anything_here>_setenv.sh (on UNIX/Linux) and add:
export UMASK=0022
With this mask default directory permissions are 775 (rwxr-xr-x) and default file permissions are 664 (rw-r–r–)
We automatically look for and execute anything that follows the <anything_here>_setenv.sh] naming convention and these custom files will not be touched by Service Packs or Hotfixes
or
- Before running tcman.sh do
export UMASK=0022
