Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
+++ This bug was initially created as a clone of Bug #641102 +++
+++ This bug was initially created as a clone of Bug #641101 +++
+++ This bug was initially created as a clone of Bug #640837 +++
There are two related issues. Issue 1 is critical to get fixed and deployed because it's gating deployment of a new project/product (which happens to be a security product so it's critical the user account be locked down properly). Issue 2 is trivial to fix and should be done at the same time. Issue 2 is probably why the problem described in Issue 1 was not discovered.
Issue 1) The tomcat initscript cannot start tomcat if the TOMCAT_USER environment variable is set to a user daemon without a login shell (as should be the case for security).
The problem is located in the initscript (/etc/rc.d/init.d/tomcat6) with the invocation of the $SU command, which is either /sbin/runuser or /bin/su. Please note there are multiple places in the initscript where $SU is invoked, here is one typical example.
$SU - $TOMCAT_USER -c "${TOMCAT_SCRIPT} start" >> $TOMCAT_LOG 2>&1
The key element here to notice is that a command line is being passed via the -c argument, this requires the user ($TOMCAT_USER) to have a shell in which to execute the -c command. But system daemons shouldn't have login shells for security reasons. If $TOMCAT_USER doesn't have a login shell then $SU aborts with the message:
"This account is currently not available."
The solution is to provide a temporary shell to $SU for the purpose of executing the -c command. This can be done with the -s arg to $SU. One possible solution would be to modify the definition of $SU in the script, thus:
# For SELinux we need to use 'runuser' not 'su'
if [ -x "/sbin/runuser" ]; then
SU="/sbin/runuser"
else
SU="/bin/su"
fi
would become:
if [ -x "/sbin/runuser" ]; then
SU="/sbin/runuser -s /bin/sh"
else
SU="/bin/su -s /bin/sh"
fi
Or you could add the -s arg each place $SU is invoked.
Issue 2) The tomcat6 rpm creates the tomcat system user with a valid login shell account (/bin/sh), but system daemons should never permit shell access, they should have their shell set to /sbin/nologin.
The following lines in the spec file should be changed from:
%{_sbindir}/useradd -c "Apache Tomcat" -u %{tcuid} -g tomcat \
-s /bin/sh -r -d %{homedir} tomcat 2>/dev/null || :
to:
%{_sbindir}/useradd -c "Apache Tomcat" -u %{tcuid} -g tomcat \
-s /sbin/nologin -r -d %{homedir} tomcat 2>/dev/null || :
--- Additional comment from dknox on 2010-10-07 12:03:35 EDT ---
As the init scripts for both fedora and rhel are the same in this respect, this fix will propogate to all fedora builds.
--- Additional comment from updates on 2010-10-12 14:02:30 EDT ---
tomcat6-6.0.26-3.fc12 has been submitted as an update for Fedora 12.
https://admin.fedoraproject.org/updates/tomcat6-6.0.26-3.fc12
--- Additional comment from updates on 2010-10-12 16:58:47 EDT ---
tomcat6-6.0.26-11.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/tomcat6-6.0.26-11.fc13
--- Additional comment from updates on 2010-10-13 12:15:17 EDT ---
tomcat6-6.0.26-13.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/tomcat6-6.0.26-13.fc14
--- Additional comment from updates on 2010-10-14 02:26:01 EDT ---
tomcat6-6.0.26-3.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
su -c 'yum --enablerepo=updates-testing update tomcat6'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/tomcat6-6.0.26-3.fc12
--- Additional comment from updates on 2010-10-14 17:05:42 EDT ---
tomcat6-6.0.26-14.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/tomcat6-6.0.26-14.fc14
--- Additional comment from updates on 2010-11-01 16:54:03 EDT ---
tomcat6-6.0.26-3.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
--- Additional comment from updates on 2010-11-01 16:56:32 EDT ---
tomcat6-6.0.26-11.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
--- Additional comment from updates on 2010-11-14 16:33:26 EST ---
tomcat6-6.0.26-14.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.
Even though comment #1 in the original bug report this was cloned from states the problem also exists in RHEL, somehow this never got cloned into RHEL 6.
The Certificate Server will not start without this fix.
Comment 5Chandrasekar Kannan
2011-03-07 19:31:07 UTC
providing qa_ack since this is now a required fix for IPA in rhel-6.1
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.
http://rhn.redhat.com/errata/RHSA-2011-0791.html