Le 27/07/2016 à 13:21, Markus Koschany a écrit :
> So the question is
>
> does Tomcat 7/8 need write access to the conf directory at runtime and
> if yes why?
Yes it does: Tomcat extracts the META-INF/context.xml files from the
.war archives into $CATALINA_BASE/conf/[enginename]/[hostname]/ and this
happens at runtime.
> I'm not convinced that overriding the permissions for all files
> under /etc/tomcat{7,8} is something that can't be avoided and can only
> be fixed in Tomcat 9.
I think we should set the permissions for the known tomcat files only
and avoid touching the other ones. That is:
Catalina
catalina.properties
context.xml
logging.properties
policy.d
server.xml
tomcat-users.xml
web.xml
I'd keep root:tomcat with 644 or 640 for the permissions. 640 would make
sense since server.xml could contain datasource declarations with
database credentials.
