From Tomcat tar archive I get: ls -l apache-tomcat-6.0.18/conf/tomcat-users.xml -rw------- 1 tomcat staff 1107 Jul 21 2008 apache-tomcat-6.0.18/conf/tomcat-users.xml But Tomcat itself changes this during its first run: ls -l apache-tomcat-6.0.18/conf/tomcat-users.xml -rw-r--r- 1 tomcat staff 70 Feb 12 08:31 apache-tomcat-6.0.18/conf/tomcat-users.xml This is bad from security perspective. See also: http://www.nabble.com/tomcat-users.xml-Unix-file-permissions-and-security-(possible-patch)-td21980349.html#a21980349
This is configurable and has been discussed several times on the users list. There are several ways of searching the archives. I recommend http://tomcat.markmail.org/
If you mean possibility of read only database, then I ask why it's not in default configuration? To me it's insecure by default and it's wrong. So, I'm opening it again (last time I promise ;-)
I suspect that it is read write by default as a legacy of the 5.5.x admin app which could add and remove users (you can still do this in 6.0.x using jmx). I assume you are aware that this realm isn't intended for production use (although lots of people do...) I have changed it to read only by default in trunk and proposed the change for 6.0.x. It may not get back-ported for fear of breaking existing installations.
The patch has been applied to 6.0.x and will be included in 6.0.20 onwards.