I found the chown in the /var/lib/dpkg/info/tomcat7.postinst. not really
sure if it's in the tomcat7-admin package ....
# configuration files should not be modifiable by tomcat7 user, as
this can be a security issue
# (an attacker may insert code in a webapp and have access to all
tomcat configuration)
# but those files should be readable by tomcat7, so we set the
group to tomcat7
chown -Rh root:$TOMCAT7_GROUP /etc/tomcat7/*
But this make the default configuration for jmx user/password access
unsable (put the file in mode 600 for the ... tomcat7 user).
and i don't see were to put those files with logic (if i'm new admin and
look for tomcat access config files .. i'll look in the tomcat conf folder).
