There are two related issues. Issue 1 is critical to get fixed and deployed because it's gating deployment of a new project/product (which happens to be a security product so it's critical the user account be locked down properly). Issue 2 is trivial to fix and should be done at the same time. Issue 2 is probably why the problem described in Issue 1 was not discovered. Issue 1) The tomcat initscript cannot start tomcat if the TOMCAT_USER environment variable is set to a user daemon without a login shell (as should be the case for security). The problem is located in the initscript (/etc/rc.d/init.d/tomcat6) with the invocation of the $SU command, which is either /sbin/runuser or /bin/su. Please note there are multiple places in the initscript where $SU is invoked, here is one typical example. $SU - $TOMCAT_USER -c "${TOMCAT_SCRIPT} start" >> $TOMCAT_LOG 2>&1 The key element here to notice is that a command line is being passed via the -c argument, this requires the user ($TOMCAT_USER) to have a shell in which to execute the -c command. But system daemons shouldn't have login shells for security reasons. If $TOMCAT_USER doesn't have a login shell then $SU aborts with the message: "This account is currently not available." The solution is to provide a temporary shell to $SU for the purpose of executing the -c command. This can be done with the -s arg to $SU. One possible solution would be to modify the definition of $SU in the script, thus: # For SELinux we need to use 'runuser' not 'su' if [ -x "/sbin/runuser" ]; then SU="/sbin/runuser" else SU="/bin/su" fi would become: if [ -x "/sbin/runuser" ]; then SU="/sbin/runuser -s /bin/sh" else SU="/bin/su -s /bin/sh" fi Or you could add the -s arg each place $SU is invoked. Issue 2) The tomcat6 rpm creates the tomcat system user with a valid login shell account (/bin/sh), but system daemons should never permit shell access, they should have their shell set to /sbin/nologin. The following lines in the spec file should be changed from: %{_sbindir}/useradd -c "Apache Tomcat" -u %{tcuid} -g tomcat \ -s /bin/sh -r -d %{homedir} tomcat 2>/dev/null || : to: %{_sbindir}/useradd -c "Apache Tomcat" -u %{tcuid} -g tomcat \ -s /sbin/nologin -r -d %{homedir} tomcat 2>/dev/null || :
As the init scripts for both fedora and rhel are the same in this respect, this fix will propogate to all fedora builds.
tomcat6-6.0.26-3.fc12 has been submitted as an update for Fedora 12. https://admin.fedoraproject.org/updates/tomcat6-6.0.26-3.fc12
tomcat6-6.0.26-11.fc13 has been submitted as an update for Fedora 13. https://admin.fedoraproject.org/updates/tomcat6-6.0.26-11.fc13
tomcat6-6.0.26-3.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update tomcat6'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/tomcat6-6.0.26-3.fc12
tomcat6-6.0.26-3.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
tomcat6-6.0.26-11.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.