Bob Vickers
When the Tomcat server starts, /etc/init.d/tomcat changes the ownership
all the files in $CATALINA_BASE to be tomcat:tomcat, i.e. the same as
of the
user running the web server. So the web server has write access to its own configuration and to all the pages it serves, which is obviously a potential security hazard. It is also inconvenient, because the local user who owns the pages can no longer change them without asking a superuser.
I don't use the Tomcat rpm, but I've a 2 servers with apache as a front-end to Tomcat, so apache is running with wwwrun amd tomcat is running with the tomcat user started with "su - tomcat". The permissions of the tomcat folder are set to tomcat.tomcat, before starting, no need of root as tomcat runs on port 8080