+++ This bug was initially created as a clone of Bug #640837 +++ There are two related issues. Issue 1 is critical to get fixed and deployed because it's gating deployment of a new project/product (which happens to be a security product so it's critical the user account be locked down properly). Issue 2 is trivial to fix and should be done at the same time. Issue 2 is probably why the problem described in Issue 1 was not discovered. Issue 1) The tomcat initscript cannot start tomcat if the TOMCAT_USER environment variable is set to a user daemon without a login shell (as should be the case for security). The problem is located in the initscript (/etc/rc.d/init.d/tomcat6) with the invocation of the $SU command, which is either /sbin/runuser or /bin/su. Please note there are multiple places in the initscript where $SU is invoked, here is one typical example. $SU - $TOMCAT_USER -c "${TOMCAT_SCRIPT} start" >> $TOMCAT_LOG 2>&1 The key element here to notice is that a command line is being passed via the -c argument, this requires the user ($TOMCAT_USER) to have a shell in which to execute the -c command. But system daemons shouldn't have login shells for security reasons. If $TOMCAT_USER doesn't have a login shell then $SU aborts with the message: "This account is currently not available." The solution is to provide a temporary shell to $SU for the purpose of executing the -c command. This can be done with the -s arg to $SU. One possible solution would be to modify the definition of $SU in the script, thus: # For SELinux we need to use 'runuser' not 'su' if [ -x "/sbin/runuser" ]; then SU="/sbin/runuser" else SU="/bin/su" fi would become: if [ -x "/sbin/runuser" ]; then SU="/sbin/runuser -s /bin/sh" else SU="/bin/su -s /bin/sh" fi Or you could add the -s arg each place $SU is invoked. Issue 2) The tomcat6 rpm creates the tomcat system user with a valid login shell account (/bin/sh), but system daemons should never permit shell access, they should have their shell set to /sbin/nologin. The following lines in the spec file should be changed from: %{_sbindir}/useradd -c "Apache Tomcat" -u %{tcuid} -g tomcat \ -s /bin/sh -r -d %{homedir} tomcat 2>/dev/null || : to: %{_sbindir}/useradd -c "Apache Tomcat" -u %{tcuid} -g tomcat \ -s /sbin/nologin -r -d %{homedir} tomcat 2>/dev/null || : --- Additional comment from dknox on 2010-10-07 12:03:35 EDT --- As the init scripts for both fedora and rhel are the same in this respect, this fix will propogate to all fedora builds.
tomcat6-6.0.30-6.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/tomcat6-6.0.30-6.fc15
tomcat6-6.0.30-6.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.