Score:0

Can't run command under /bin/false user

cn flag

Centos 8.

There is snowuser:

[snowuser@snowcannon-01 ~]$ cat /etc/passwd | grep snowuser  
snowuser:x:1002:1002::/home/snowuser:/bin/bash   
[snowuser@snowcannon-01 ~]$ groups  
snowuser wheel

There is tomcat user:

[snowuser@snowcannon-01 ~]$ cat /etc/passwd | grep tomcat  
tomcat:x:1003:1003::/opt/tomcat:/bin/false  


cat /etc/group | grep "tomcat\|snowuser"  
wheel:x:10:ydyachuk,amsliusar,snowuser  
snowuser:x:1002:   
tomcat:x:1003:   

Trying to run Tomcat's start script under tomcat user:

/bin/su tomcat -c /opt/tomcat/bin/startup.sh

But got nothing meaning that neither any error message appeared nor Tomcat process was executed.

Only one detail I have is that command was being executed with errors:

[snowuser@snowcannon-01 ~]$ echo $?
1

Seems tomcat user has proper permissions for the script execution:

[snowuser@snowcannon-01 ~]$ ll /opt/tomcat/bin/startup.sh 
-rwxr-xr-x. 1 tomcat tomcat 1904 Nov 11 15:14 /opt/tomcat/bin/startup.sh

How can I make Tomcat running?

Andrew Henle avatar
ph flag
How was Tomcat installed? If there's a Tomcat service it can be started with something like `systemctl start tomcat`.
cn flag
I just downloaded Tomcat as tar.gz file, unpacked & copied files to /opt/tomcat folder
Score:4
br flag

Setting the default shell to /bin/false means that su will switch user, and then execute

/bin/false -c /opt/tomcat/bin/startup.sh

You can use the -s option to su to override the setting in /etc/passwd, but this is only permitted if the calling user is root, or the existing entry in /etc/passwd is listed in /etc/shells.

kmort avatar
ru flag
Crazy note..... for my version of busybox, that last line is super important: `only permitted if ... the existing entry in /etc/passwd is listed in /etc/shells`. This _includes_ /bin/false. In other words, if your user account's shell is set to /bin/false, you can't su to it with the -s option unless you also place /bin/false into the /etc/shells file. Unexpected.
br flag
That is the same for any correct implementation of `su` -- if the login shell is set to `/bin/false`, it is supposed to be impossible to log in, but users should be allowed to use a different shell if they want, so there is a list of valid shells that users can use directly.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.