--- a/files/tomcat.conf	
+++ a/files/tomcat.conf	
@@ -47,3 +47,9 @@ CATALINA_GROUP=@INSTANCE_GROUP@
 # Additional options to pass to catalina
 #
 #CATALINA_OPTS=""
+
+# umask to pass to start-stop-deamon
+# Note: It is generally not advised to change the default umask as it
+#       opens the permissions on all files create by tomcat and may lead to
+#       security vulnerabilities.
+#TOMCAT_UMASK=0027
--- a/files/tomcat.init	
+++ a/files/tomcat.init	
@@ -23,6 +23,8 @@ export JAVA_HOME=`java-config ${TOMCAT_JVM:+--select-vm ${TOMCAT_JVM}} --jre-hom
 CLASSPATH=`java-config --classpath tomcat-@SLOT@${TOMCAT_EXTRA_JARS:+,${TOMCAT_EXTRA_JARS}}`
 export CLASSPATH="${CLASSPATH}${TOMCAT_EXTRA_CLASSPATH:+:${TOMCAT_EXTRA_CLASSPATH}}"
 
+UMASK="${TOMCAT_UMASK:=0027}"
+
 depend() {
 	use dns logger net
 }
@@ -56,6 +58,7 @@ start()	{
 	start-stop-daemon  --start \
 		--quiet --background \
 		--chdir "${CATALINA_TMPDIR}" \
+		--umask ${UMASK} \
 		--user ${CATALINA_USER}:${CATALINA_GROUP} \
 		--make-pidfile --pidfile ${PIDFILE} \
 		--exec ${JAVA_HOME}/bin/${cmd} \