Apache Tomcat 7 includes several security updates that further harden the application server that came directly from the Bugzilla queue. One new feature, the Security Lifecycle Listener, helps ensure that Tomcat is started in a reasonably secure way.
One user cited that while all administrators worth their salt should know that it is irresponsible and incredibly insecure to run Tomcat as the root user to the system, Tomcat still allows the server to start under root. Although this problem is largely contained to Linux systems, the fix had to be applicable to all operating systems. Therefore, the fix that was implemented was to create a list of users that are not allowed to start Tomcat. Tomcat checks to see if it is running as one of those users, and if it is, it shuts itself down.
A secondary check after the user is validated as a secure user, is to check that any files written by Tomcat (such the contents of an expanded WAR) are created securely. As a minimum, these files must not be world writeable. In some environments it may be desirable to restrict this even further such as read/write for owner, no access for anyone else. The permissions for created files are controlled by the current user's umask. If the umask is not restrictive enough on the running user, this too will prevent Tomcat from starting.
The Security Lifecycle Listener is not enabled by default. To enable it, you must uncomment the listener in $CATALINA_BASE/conf/server.xml. To secure the files as well, Tomcat needs access to the umask. To do this, you'll need to uncomment the line for umask in $CATALINA_HOME/bin/catalina.sh.For more information on the Security Lifecycle Listener Component see the official documentation at http://tomcat.apache.org/tomcat-7.0-doc/config/listeners.html.