Bug 1084426

Summary: $TOMCAT_GROUP doesn't effect in /etc/sysconfig/tomcat6
Product: Red Hat Enterprise Linux 6 Reporter: Yoshifumi Kinoshita <ykinoshi>
Component: tomcat6Assignee: Coty Sutherland <csutherl>
Status: CLOSED WONTFIX QA Contact: Bogdan Sikora <bsikora>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.5CC: fgoldefu, mbabacek, pslavice, wburrows
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-02-09 15:48:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1075802, 1172231, 1275725, 1302761    

Description Yoshifumi Kinoshita 2014-04-04 10:18:27 UTC 
Description of problem:

  $TOMCAT_GROUP doesn't effect in /etc/sysconfig/tomcat6.

Version-Release number of selected component (if applicable):

  tomcat6-6.0.24-62.el6.noarch

How reproducible:

  Always.

Steps to Reproduce:
1. Add the following line to /etc/sysconfig/tomcat6 .

  TOMCAT_GROUP="apache"

2. Make the following files and directories writable somehow.
  # cd /usr/share/tomcat6/logs/
  # chmod 777 *
  # cd /usr/share/tomcat6/work/Catalina/localhost/
  # chmod -R 777 host-manager sample

3. Restart tomcat6
  # service tomcat6 restart

4. Check the process's gid.

  # ps -eo pid,egid,fgid,gid,pgid,rgid,sgid,svgid,tpgid


Actual results:

  # ps -eo pid,egid,fgid,gid,pgid,rgid,sgid,svgid,tpgid | grep `pgrep java`
  4947    91    91    91  4921    91    91    91    -1

gid is still tomcat's.


Expected results:

  # ps -eo pid,egid,fgid,gid,pgid,rgid,sgid,svgid,tpgid | grep `pgrep java`
 4947    48    48    48  4921    48    48    48    -1


Additional info:
Comment 5 Coty Sutherland 2015-11-23 21:22:21 UTC 
> $TOMCAT_GROUP doesn't effect in /etc/sysconfig/tomcat6.

That's not totally true :) It _does_ affect ownership of the PID file:

[root@rhel6 ~]# ls -l /var/run/tomcat6.pid 
-rw-r--r--. 1 tomcat apache 5 Nov 23 15:17 /var/run/tomcat6.pid

What it doesn't do is affect the process ownership because we use su to start tomcat:

[ "$RETVAL" -eq "0" ] && $SU - $TOMCAT_USER -c "${TOMCAT_SCRIPT} start" >> ${TOMCAT_LOG} 2>&1 || RETVAL="4"

We could do something like check the user and see if it's the same as the group and if so, use su; otherwise use sg to start with the specified group. I'm just not sure we can do both...

I'm still looking into this one.
Comment 6 Coty Sutherland 2015-11-23 21:25:32 UTC 
We might be able to use sudo:

sudo -g $TOMCAT_GROUP -u $TOMCAT_USER -s "${TOMCAT_SCRIPT} start"

but my first pass gives me an error:

Sorry, user root is not allowed to execute '/bin/bash -c /usr/sbin/tomcat6\ start' as tomcat:apache on rhel6.
Comment 7 Coty Sutherland 2015-12-16 19:14:48 UTC 
After some more researching me--

runuser is just missing the group (-g) flag.
Comment 10 Coty Sutherland 2016-02-09 15:48:21 UTC 
As it turns out, implementing this fix causes a few issues for layered products (specifically Satellite). Given that fact and the fact that there aren't any other requests to have this included, I will be closing the issue.