Can't run command under /bin/false user

Question

Centos 8.

There is snowuser:

[snowuser@snowcannon-01 ~]$ cat /etc/passwd | grep snowuser  
snowuser:x:1002:1002::/home/snowuser:/bin/bash   
[snowuser@snowcannon-01 ~]$ groups  
snowuser wheel

There is tomcat user:

[snowuser@snowcannon-01 ~]$ cat /etc/passwd | grep tomcat  
tomcat:x:1003:1003::/opt/tomcat:/bin/false  


cat /etc/group | grep "tomcat\|snowuser"  
wheel:x:10:ydyachuk,amsliusar,snowuser  
snowuser:x:1002:   
tomcat:x:1003:

Trying to run Tomcat's start script under tomcat user:

/bin/su tomcat -c /opt/tomcat/bin/startup.sh

But got nothing meaning that neither any error message appeared nor Tomcat process was executed.

Only one detail I have is that command was being executed with errors:

[snowuser@snowcannon-01 ~]$ echo $?
1

Seems tomcat user has proper permissions for the script execution:

[snowuser@snowcannon-01 ~]$ ll /opt/tomcat/bin/startup.sh 
-rwxr-xr-x. 1 tomcat tomcat 1904 Nov 11 15:14 /opt/tomcat/bin/startup.sh

How can I make Tomcat running?

How was Tomcat installed? If there's a Tomcat service it can be started with something like `systemctl start tomcat`. — Andrew Henle, Nov 25 '21 at 13:44
I just downloaded Tomcat as tar.gz file, unpacked & copied files to /opt/tomcat folder — Lesha Pipiev, Nov 25 '21 at 13:52

score 5 · Accepted Answer · answered Nov 25 '21 at 13:21

5

Setting the default shell to /bin/false means that su will switch user, and then execute

/bin/false -c /opt/tomcat/bin/startup.sh

You can use the -s option to su to override the setting in /etc/passwd, but this is only permitted if the calling user is root, or the existing entry in /etc/passwd is listed in /etc/shells.

answered Nov 25 '21 at 13:21

Simon Richter

3,317
19
19

Crazy note..... for my version of busybox, that last line is super important: `only permitted if ... the existing entry in /etc/passwd is listed in /etc/shells`. This _includes_ /bin/false. In other words, if your user account's shell is set to /bin/false, you can't su to it with the -s option unless you also place /bin/false into the /etc/shells file. Unexpected. – kmort Dec 01 '22 at 21:28
That is the same for any correct implementation of `su` -- if the login shell is set to `/bin/false`, it is supposed to be impossible to log in, but users should be allowed to use a different shell if they want, so there is a list of valid shells that users can use directly. – Simon Richter Dec 01 '22 at 21:55

Can't run command under /bin/false user

1 Answers1