Bug 678671

+++ This bug was initially created as a clone of Bug #641102 +++

+++ This bug was initially created as a clone of Bug #641101 +++

+++ This bug was initially created as a clone of Bug #640837 +++

There are two related issues. Issue 1 is critical to get fixed and deployed because it's gating deployment of a new project/product (which happens to be a security product so it's critical the user account be locked down properly). Issue 2 is trivial to fix and should be done at the same time. Issue 2 is probably why the problem described in Issue 1 was not discovered.

Issue 1) The tomcat initscript cannot start tomcat if the TOMCAT_USER environment variable is set to a user daemon without a login shell (as should be the case for security).

The problem is located in the initscript (/etc/rc.d/init.d/tomcat6) with the invocation of the $SU command, which is either /sbin/runuser or /bin/su. Please note there are multiple places in the initscript where $SU is invoked, here is one typical example.

$SU - $TOMCAT_USER -c "${TOMCAT_SCRIPT} start" >> $TOMCAT_LOG 2>&1

The key element here to notice is that a command line is being passed via the -c argument, this requires the user ($TOMCAT_USER) to have a shell in which to execute the -c command. But system daemons shouldn't have login shells for security reasons. If $TOMCAT_USER doesn't have a login shell then $SU aborts with the message:

"This account is currently not available."

The solution is to provide a temporary shell to $SU for the purpose of executing the -c command. This can be done with the -s arg to $SU. One possible solution would be to modify the definition of $SU in the script, thus:

# For SELinux we need to use 'runuser' not 'su'                                 
if [ -x "/sbin/runuser" ]; then                                                 
    SU="/sbin/runuser"                                                          
else                                                                            
    SU="/bin/su"                                                                
fi                                                                              


would become:

if [ -x "/sbin/runuser" ]; then                                                 
    SU="/sbin/runuser -s /bin/sh"                                               
else                                                                            
    SU="/bin/su -s /bin/sh"                                                     
fi                                                                              

Or you could add the -s arg each place $SU is invoked.

Issue 2) The tomcat6 rpm creates the tomcat system user with a valid login shell account (/bin/sh), but system daemons should never permit shell access, they should have their shell set to /sbin/nologin.

The following lines in the spec file should be changed from:

%{_sbindir}/useradd -c "Apache Tomcat" -u %{tcuid} -g tomcat \
    -s /bin/sh -r -d %{homedir} tomcat 2>/dev/null || :

to:

%{_sbindir}/useradd -c "Apache Tomcat" -u %{tcuid} -g tomcat \
    -s /sbin/nologin -r -d %{homedir} tomcat 2>/dev/null || :

--- Additional comment from dknox on 2010-10-07 12:03:35 EDT ---

As the init scripts for both fedora and rhel are the same in this respect, this fix will propogate to all fedora builds.

--- Additional comment from updates on 2010-10-12 14:02:30 EDT ---

tomcat6-6.0.26-3.fc12 has been submitted as an update for Fedora 12.
https://admin.fedoraproject.org/updates/tomcat6-6.0.26-3.fc12

--- Additional comment from updates on 2010-10-12 16:58:47 EDT ---

tomcat6-6.0.26-11.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/tomcat6-6.0.26-11.fc13

--- Additional comment from updates on 2010-10-13 12:15:17 EDT ---

tomcat6-6.0.26-13.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/tomcat6-6.0.26-13.fc14

--- Additional comment from updates on 2010-10-14 02:26:01 EDT ---

tomcat6-6.0.26-3.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update tomcat6'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/tomcat6-6.0.26-3.fc12

--- Additional comment from updates on 2010-10-14 17:05:42 EDT ---

tomcat6-6.0.26-14.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/tomcat6-6.0.26-14.fc14

--- Additional comment from updates on 2010-11-01 16:54:03 EDT ---

tomcat6-6.0.26-3.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

--- Additional comment from updates on 2010-11-01 16:56:32 EDT ---

tomcat6-6.0.26-11.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

--- Additional comment from updates on 2010-11-14 16:33:26 EST ---

tomcat6-6.0.26-14.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.