Bug 678671 - tomcat user requires login shell
Summary: tomcat user requires login shell
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: tomcat6
Version: 6.1
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: rc
: 6.1
Assignee: David Knox
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Depends On: 640837 641101 641102
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-02-18 20:32 UTC by John Dennis
Modified: 2015-11-02 00:16 UTC (History)
8 users (show)

Fixed In Version: tomcat6-6.0.24-22.el6
Doc Type: Bug Fix
Doc Text:
Clone Of: 641102
Environment:
Last Closed: 2011-05-19 10:58:39 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0791 normal SHIPPED_LIVE Moderate: tomcat6 security and bug fix update 2011-05-19 10:58:07 UTC

Description John Dennis 2011-02-18 20:32:49 UTC
+++ This bug was initially created as a clone of Bug #641102 +++

+++ This bug was initially created as a clone of Bug #641101 +++

+++ This bug was initially created as a clone of Bug #640837 +++

There are two related issues. Issue 1 is critical to get fixed and deployed because it's gating deployment of a new project/product (which happens to be a security product so it's critical the user account be locked down properly). Issue 2 is trivial to fix and should be done at the same time. Issue 2 is probably why the problem described in Issue 1 was not discovered.

Issue 1) The tomcat initscript cannot start tomcat if the TOMCAT_USER environment variable is set to a user daemon without a login shell (as should be the case for security).

The problem is located in the initscript (/etc/rc.d/init.d/tomcat6) with the invocation of the $SU command, which is either /sbin/runuser or /bin/su. Please note there are multiple places in the initscript where $SU is invoked, here is one typical example.

$SU - $TOMCAT_USER -c "${TOMCAT_SCRIPT} start" >> $TOMCAT_LOG 2>&1

The key element here to notice is that a command line is being passed via the -c argument, this requires the user ($TOMCAT_USER) to have a shell in which to execute the -c command. But system daemons shouldn't have login shells for security reasons. If $TOMCAT_USER doesn't have a login shell then $SU aborts with the message:

"This account is currently not available."

The solution is to provide a temporary shell to $SU for the purpose of executing the -c command. This can be done with the -s arg to $SU. One possible solution would be to modify the definition of $SU in the script, thus:

# For SELinux we need to use 'runuser' not 'su'                                 
if [ -x "/sbin/runuser" ]; then                                                 
    SU="/sbin/runuser"                                                          
else                                                                            
    SU="/bin/su"                                                                
fi                                                                              


would become:

if [ -x "/sbin/runuser" ]; then                                                 
    SU="/sbin/runuser -s /bin/sh"                                               
else                                                                            
    SU="/bin/su -s /bin/sh"                                                     
fi                                                                              

Or you could add the -s arg each place $SU is invoked.

Issue 2) The tomcat6 rpm creates the tomcat system user with a valid login shell account (/bin/sh), but system daemons should never permit shell access, they should have their shell set to /sbin/nologin.

The following lines in the spec file should be changed from:

%{_sbindir}/useradd -c "Apache Tomcat" -u %{tcuid} -g tomcat \
    -s /bin/sh -r -d %{homedir} tomcat 2>/dev/null || :

to:

%{_sbindir}/useradd -c "Apache Tomcat" -u %{tcuid} -g tomcat \
    -s /sbin/nologin -r -d %{homedir} tomcat 2>/dev/null || :

--- Additional comment from dknox@redhat.com on 2010-10-07 12:03:35 EDT ---

As the init scripts for both fedora and rhel are the same in this respect, this fix will propogate to all fedora builds.

--- Additional comment from updates@fedoraproject.org on 2010-10-12 14:02:30 EDT ---

tomcat6-6.0.26-3.fc12 has been submitted as an update for Fedora 12.
https://admin.fedoraproject.org/updates/tomcat6-6.0.26-3.fc12

--- Additional comment from updates@fedoraproject.org on 2010-10-12 16:58:47 EDT ---

tomcat6-6.0.26-11.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/tomcat6-6.0.26-11.fc13

--- Additional comment from updates@fedoraproject.org on 2010-10-13 12:15:17 EDT ---

tomcat6-6.0.26-13.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/tomcat6-6.0.26-13.fc14

--- Additional comment from updates@fedoraproject.org on 2010-10-14 02:26:01 EDT ---

tomcat6-6.0.26-3.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update tomcat6'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/tomcat6-6.0.26-3.fc12

--- Additional comment from updates@fedoraproject.org on 2010-10-14 17:05:42 EDT ---

tomcat6-6.0.26-14.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/tomcat6-6.0.26-14.fc14

--- Additional comment from updates@fedoraproject.org on 2010-11-01 16:54:03 EDT ---

tomcat6-6.0.26-3.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

--- Additional comment from updates@fedoraproject.org on 2010-11-01 16:56:32 EDT ---

tomcat6-6.0.26-11.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

--- Additional comment from updates@fedoraproject.org on 2010-11-14 16:33:26 EST ---

tomcat6-6.0.26-14.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 1 John Dennis 2011-02-18 20:37:08 UTC
Even though comment #1 in the original bug report this was cloned from states the problem also exists in RHEL, somehow this never got cloned into RHEL 6.

The Certificate Server will not start without this fix.

Comment 5 Chandrasekar Kannan 2011-03-07 19:31:07 UTC
providing qa_ack since this is now a required fix for IPA in rhel-6.1

Comment 9 errata-xmlrpc 2011-05-19 10:58:39 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0791.html


Note You need to log in before you can comment on or make changes to this bug.