View Issue Details

IDProjectCategoryView StatusLast Update
0005843CentOS-6tomcat6public2012-07-16 19:46
Reporterwhannah 
PrioritynormalSeverityminorReproducibilityhave not tried
Status newResolutionopen 
Platformx86-64OSCent OSOS Version6
Product Version6.3 
Target VersionFixed in Version 
Summary0005843: tomcat user requires login shell
DescriptionThe tomcat initscript (/etc/rc.d/init.d/tomcat6) cannot start tomcat if the TOMCAT_USER environment variable is set to a user daemon without a login shell (as should be the case for security).

The problem is located in the initscript (/etc/rc.d/init.d/tomcat6) with the invocation of the $SU command, which is either /sbin/runuser or /bin/su. Please note there are multiple places in the initscript where $SU is invoked, here is one typical example.

$SU - $TOMCAT_USER -c "${TOMCAT_SCRIPT} start" >> $TOMCAT_LOG 2>&1

The key element here to notice is that a command line is being passed via the -c argument, this requires the user ($TOMCAT_USER) to have a shell in which to execute the -c command. But system daemons shouldn't have login shells for security reasons. If $TOMCAT_USER doesn't have a login shell then $SU aborts with the message:

"This account is currently not available."

The solution is to provide a temporary shell to $SU for the purpose of executing the -c command. This can be done with the -s arg to $SU. One possible solution would be to modify the definition of $SU in the script, thus:

# For SELinux we need to use 'runuser' not 'su'
if [ -x "/sbin/runuser" ]; then
    SU="/sbin/runuser"
else
    SU="/bin/su"
fi


would become:

if [ -x "/sbin/runuser" ]; then
    SU="/sbin/runuser -s /bin/sh"
else
    SU="/bin/su -s /bin/sh"
fi
Additional InformationThis bug is identical to Red Hat Bugzilla - #678671.

https://bugzilla.redhat.com/show_bug.cgi?id=678671
TagsNo tags attached.

Activities

tigalch

tigalch

2012-07-16 19:46

manager   ~0015473

The upstream errata you mention has been fixed with http://rhn.redhat.com/errata/RHSA-2011-0791.html which was part of 6.1.
If you think the bug is still there (or got reintroduced) please consider opening a new bug at bugzilla.redhat.com

Issue History

Date Modified Username Field Change
2012-07-16 18:00 whannah New Issue
2012-07-16 19:46 tigalch Note Added: 0015473