tomcat fails to start with: /bin/bash already running.

Bug #632554 reported by Bruce Edge on 2010-09-07
50
This bug affects 5 people
Affects Status Importance Assigned to Milestone
tomcat6 (Ubuntu)
Medium
Thierry Carrez
Lucid
Medium
Unassigned

Bug Description

Binary package hint: tomcat6

While it's not recommended to run tomcat as root, there are circumstances that make it a necessity, like embedded systems. (IMHO Linux should not enforce policy at this level)

Anyway, setting the following in /etc/default/tomcat6

TOMCAT6_USER=root

Yields this when trying to start tomcat:

#> /etc/init.d/tomcat6 start
 * Starting Tomcat servlet engine tomcat6 /bin/bash already running.

If there are _any_ login sessions on the machine, IOW if there are any bash instances, it fails to run.

So, here's a patch that fixes this while not making any changes to policy or who can run what as who.

Here's the relevant version info:

Ubuntu 64 bit 10.04

ii libtomcat6-java 6.0.24-2ubuntu1.2 Servlet and JSP engine -- core libraries
ii tomcat-cfg 6.0.15-01 OSA tomcat config
ii tomcat6 6.0.24-2ubuntu1.2 Servlet and JSP engine
ii tomcat6-admin 6.0.24-2ubuntu1.2 Servlet and JSP engine -- admin web applications
ii tomcat6-common 6.0.24-2ubuntu1.2 Servlet and JSP engine -- common files

Mathias Gug (mathiaz) on 2010-09-07
Changed in tomcat6 (Ubuntu):
importance: Undecided → Low
tags: added: patch
Bruce Edge (bruce-edge) wrote :

Left debug info in patch...sorry. New patch attached.

Thierry Carrez (ttx) wrote :

I agree that we should not force tomcat6 to run under a user that has no bash running.

Note that the proposed patch breaks use of AUTHBIND. This should rather be fixed by shipping once and for all the catalina.sh wrapper to use (rather than recreate it every time). Furthermore this should be shipped in /usr/share/tomcat6 rather than in /etc/init.d/.

Changed in tomcat6 (Ubuntu):
status: New → Triaged

On Thu, Sep 9, 2010 at 5:48 AM, Thierry Carrez <email address hidden>wrote:

> I agree that we should not force tomcat6 to run under a user that has no
> bash running.
>
> Note that the proposed patch breaks use of AUTHBIND. This should rather
> be fixed by shipping once and for all the catalina.sh wrapper to use
> (rather than recreate it every time). Furthermore this should be shipped
> in /usr/share/tomcat6 rather than in /etc/init.d/.
>
>
That does sound like a better option. Is someone else looking at this or
should I take a crack at it.
Note, I'm not very good at java env stuff. :-)

> ** Changed in: tomcat6 (Ubuntu)
> Status: New => Triaged
>
> --
> tomcat fails to start with: /bin/bash already running.
> https://bugs.launchpad.net/bugs/632554
> You received this bug notification because you are a direct subscriber
> of the bug.
>

Thierry Carrez (ttx) on 2010-09-15
Changed in tomcat6 (Ubuntu):
importance: Low → Medium
Craig Box (craig.box) wrote :

At the risk of "me too", this bug affects me because I have to run commands as the tomcat6 user to regenerate indexes (which I do with sudo -u tomcat6 /bin/bash foo.sh) so it's not just people running as root who are affected.

Gerry (gsker) wrote :

I'm struck by this bug because I have the tomcat user doing something else related to tomcat, so it MIGHT actually be logged in.

It strikes me as a bad idea to let a startup script create a file in /etc/init.d/. We should find a better way to clarify that it's actually a tomcat instance running rather than just any old login.
catalina.sh isn't making the decision; start-stop-daemon is.

I'm going to work on it. Ideas are welcome.

Gerry (gsker) wrote :

The problem is fixed if we add `-p "$CATALINA_PID"` to the start-stop-daemon line in catalina_sh(). Isn't that something we should be able to rely on?
{{{
*** tomcat6~ 2010-10-11 13:21:52.000000000 -0500
--- tomcat6 2010-11-03 12:19:04.000000000 -0500
***************
*** 152,154 ****
   start-stop-daemon --start -b -u "$TOMCAT6_USER" -g "$TOMCAT6_GROUP" \
! -c "$TOMCAT6_USER" -d "$CATALINA_TMPDIR" \
    -x /bin/bash -- -c "$AUTHBIND_COMMAND $TOMCAT_SH"
--- 152,154 ----
   start-stop-daemon --start -b -u "$TOMCAT6_USER" -g "$TOMCAT6_GROUP" \
! -c "$TOMCAT6_USER" -d "$CATALINA_TMPDIR" -p "$CATALINA_PID" \
    -x /bin/bash -- -c "$AUTHBIND_COMMAND $TOMCAT_SH"
}}}

Bruce Edge (bruce-edge) wrote :

On Wed, Nov 3, 2010 at 10:26 AM, gerry skerbitz
<email address hidden>wrote:

> The problem is fixed if we add `-p "$CATALINA_PID"` to the
> start-stop-daemon line in catalina_sh(). Isn't that something we should be
> able to rely on?
> {{{
> *** tomcat6~ 2010-10-11 13:21:52.000000000 -0500
> --- tomcat6 2010-11-03 12:19:04.000000000 -0500
> ***************
> *** 152,154 ****
> start-stop-daemon --start -b -u "$TOMCAT6_USER" -g "$TOMCAT6_GROUP"
> \
> ! -c "$TOMCAT6_USER" -d "$CATALINA_TMPDIR" \
> -x /bin/bash -- -c "$AUTHBIND_COMMAND $TOMCAT_SH"
> --- 152,154 ----
> start-stop-daemon --start -b -u "$TOMCAT6_USER" -g "$TOMCAT6_GROUP"
> \
> ! -c "$TOMCAT6_USER" -d "$CATALINA_TMPDIR" -p "$CATALINA_PID"
> \
> -x /bin/bash -- -c "$AUTHBIND_COMMAND $TOMCAT_SH"
> }}}
>
>
Seems like a perfectly reasonable fix. I have a hard time understanding why
it wasn't done this way at first.

> --
> tomcat fails to start with: /bin/bash already running.
> https://bugs.launchpad.net/bugs/632554
> You received this bug notification because you are a direct subscriber
> of the bug.
>

Gerry (gsker) wrote :

Here's my comment included as an attached patch. What does it take to actually get this into a release?

Bruce Edge (bruce-edge) wrote :

I'll vote for gerry's patch.

Thierry Carrez (ttx) on 2010-11-23
Changed in tomcat6 (Ubuntu):
assignee: nobody → Thierry Carrez (ttx)
status: Triaged → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tomcat6 - 6.0.28-7ubuntu3

---------------
tomcat6 (6.0.28-7ubuntu3) natty; urgency=low

  * debian/tomcat6.init: Add missing -p option in start-stop-daemon when
    starting tomcat6 to avoid failing to start due to /bin/bash running
    (LP: #632554)
 -- Thierry Carrez (ttx) <email address hidden> Tue, 23 Nov 2010 16:35:40 +0100

Changed in tomcat6 (Ubuntu):
status: In Progress → Fix Released
Thierry Carrez (ttx) wrote :

Also pushed to debian to ensure proper sync.

Bruce Edge (bruce-edge) wrote :

I'd really like to see this backported to lucid since that's the LTS release we're using on our servers.

Thanks

-Bruce

Thierry Carrez (ttx) on 2010-11-24
Changed in tomcat6 (Ubuntu Lucid):
status: New → Triaged
importance: Undecided → Medium
Michael Jeanson (mjeanson) wrote :

SRU for lucid (https://wiki.ubuntu.com/StableReleaseUpdates)

1. Impact :
If tomcat6 is runned under a user that has a running bash process, trying to start or restart the service will fail.

2. Fix in development version :
The fix is a oneliner in the initscript, add the missing -p option in start-stop-daemon to use the pidfile.
It was fixed in natty with package version 6.0.28-7ubuntu3

3. Patch :
See bzr branch : lp:~mjeanson/ubuntu/lucid/tomcat6/bug632554

TEST CASE:
* Install tomcat6
* In another shell run : sudo -u tomcat6 /bin/bash
* In the first shell, restart the tomcat6 service : sudo /etc/init.d/tomcat6 restart

 * Stopping Tomcat servlet engine tomcat6 [ OK ]
 * Starting Tomcat servlet engine tomcat6 /bin/bash already running.

5. Regression potential
None that I can think of.

Stéphane Graber (stgraber) wrote :

Uploaded to lucid-proposed currently waiting for approval.

Accepted tomcat6 into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in tomcat6 (Ubuntu Lucid):
status: Triaged → Fix Committed
tags: added: verification-needed
Stéphane Graber (stgraber) wrote :
Download full text (3.3 KiB)

I can confirm that the fix works as expected, here's the output of my test.
I started a bash shell as tomcat6 in a shell, then ran the following commands on an up to date lucid system (with -updates and -security)

root@lucid:~# ps aux | grep tomcat6
tomcat6 3850 0.0 0.1 11172 1968 pts/1 S+ 14:45 0:00 bash
root 3896 0.0 0.0 7624 900 pts/0 S+ 14:45 0:00 grep --color=auto tomcat6
root@lucid:~# /etc/init.d/tomcat6 start
 * Starting Tomcat servlet engine tomcat6 /bin/bash already running.
root@lucid:~# apt-get install tomcat6
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  libservlet2.5-java libtomcat6-java tomcat6-common
Suggested packages:
  tomcat6-docs tomcat6-admin tomcat6-examples tomcat6-user
The following packages will be upgraded:
  libservlet2.5-java libtomcat6-java tomcat6 tomcat6-common
4 upgraded, 0 newly installed, 0 to remove and 22 not upgraded.
Need to get 0B/3,277kB of archives.
After this operation, 0B of additional disk space will be used.
Do you want to continue [Y/n]?
(Reading database ... 70588 files and directories currently installed.)
Preparing to replace libservlet2.5-java 6.0.24-2ubuntu1.4 (using .../libservlet2.5-java_6.0.24-2ubuntu1.5_all.deb) ...
Unpacking replacement libservlet2.5-java ...
Preparing to replace libtomcat6-java 6.0.24-2ubuntu1.4 (using .../libtomcat6-java_6.0.24-2ubuntu1.5_all.deb) ...
Unpacking replacement libtomcat6-java ...
Preparing to replace tomcat6-common 6.0.24-2ubuntu1.4 (using .../tomcat6-common_6.0.24-2ubuntu1.5_all.deb) ...
Unpacking replacement tomcat6-common ...
Preparing to replace tomcat6 6.0.24-2ubuntu1.4 (using .../tomcat6_6.0.24-2ubuntu1.5_all.deb) ...
 * Stopping Tomcat servlet engine tomcat6 [ OK ]
Unpacking replacement tomcat6 ...
Processing triggers for ureadahead ...
Setting up libservlet2.5-java (6.0.24-2ubuntu1.5) ...
Setting up libtomcat6-java (6.0.24-2ubuntu1.5) ...
Setting up tomcat6-common (6.0.24-2ubuntu1.5) ...
Setting up tomcat6 (6.0.24-2ubuntu1.5) ...
Installing new version of config file /etc/init.d/tomcat6 ...
 * Starting Tomcat servlet engine tomcat6 [ OK ]

root@lucid:~# ps aux | grep tomcat6
tomcat6 3850 0.0 0.1 11172 1968 pts/1 S+ 14:45 0:00 bash
tomcat6 4070 15.7 5.9 550744 61404 ? Sl 14:46 0:01 /usr/lib/jvm/java-6-openjdk/bin/java -Djava.util.logging.config.file=/var/lib/tomcat6/conf/logging.properties -Djava.awt.headless=true -Xmx128M -XX:+UseConcMarkSweepGC -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.endorsed.dirs=/usr/share/tomcat6/endorsed -classpath /usr/share/tomcat6/bin/bootstrap.jar -Dcatalina.base=/var/lib/tomcat6 -Dcatalina.home=/usr/share/tomcat6 -Djava.io.tmpdir=/tmp/tomcat...

Read more...

Download full text (3.8 KiB)

Thank you for testing. I was unable to test it this week. I had updated my test
machine to maverick and needed to set up a virtual machine to test.

It probably needs a test by the person who needed the AUTHBIND setting to make
sure it doesn't break that, but ...

I notice the change I made also included the addition of "-b". I don't know what
impact that has but it made sense when I was working on it.

Gerry

On Sat, 11 Dec 2010, Stéphane Graber wrote:

> I can confirm that the fix works as expected, here's the output of my test.
> I started a bash shell as tomcat6 in a shell, then ran the following commands on an up to date lucid system (with -updates and -security)
>
> root@lucid:~# ps aux | grep tomcat6
> tomcat6 3850 0.0 0.1 11172 1968 pts/1 S+ 14:45 0:00 bash
> root 3896 0.0 0.0 7624 900 pts/0 S+ 14:45 0:00 grep --color=auto tomcat6
> root@lucid:~# /etc/init.d/tomcat6 start
> * Starting Tomcat servlet engine tomcat6 /bin/bash already running.
> root@lucid:~# apt-get install tomcat6
> Reading package lists... Done
> Building dependency tree
> Reading state information... Done
> The following extra packages will be installed:
> libservlet2.5-java libtomcat6-java tomcat6-common
> Suggested packages:
> tomcat6-docs tomcat6-admin tomcat6-examples tomcat6-user
> The following packages will be upgraded:
> libservlet2.5-java libtomcat6-java tomcat6 tomcat6-common
> 4 upgraded, 0 newly installed, 0 to remove and 22 not upgraded.
> Need to get 0B/3,277kB of archives.
> After this operation, 0B of additional disk space will be used.
> Do you want to continue [Y/n]?
> (Reading database ... 70588 files and directories currently installed.)
> Preparing to replace libservlet2.5-java 6.0.24-2ubuntu1.4 (using .../libservlet2.5-java_6.0.24-2ubuntu1.5_all.deb) ...
> Unpacking replacement libservlet2.5-java ...
> Preparing to replace libtomcat6-java 6.0.24-2ubuntu1.4 (using .../libtomcat6-java_6.0.24-2ubuntu1.5_all.deb) ...
> Unpacking replacement libtomcat6-java ...
> Preparing to replace tomcat6-common 6.0.24-2ubuntu1.4 (using .../tomcat6-common_6.0.24-2ubuntu1.5_all.deb) ...
> Unpacking replacement tomcat6-common ...
> Preparing to replace tomcat6 6.0.24-2ubuntu1.4 (using .../tomcat6_6.0.24-2ubuntu1.5_all.deb) ...
> * Stopping Tomcat servlet engine tomcat6 [ OK ]
> Unpacking replacement tomcat6 ...
> Processing triggers for ureadahead ...
> Setting up libservlet2.5-java (6.0.24-2ubuntu1.5) ...
> Setting up libtomcat6-java (6.0.24-2ubuntu1.5) ...
> Setting up tomcat6-common (6.0.24-2ubuntu1.5) ...
> Setting up tomcat6 (6.0.24-2ubuntu1.5) ...
> Installing new version of config file /etc/init.d/tomcat6 ...
> * Starting Tomcat servlet engine tomcat6 [ OK ]
>
> root@lucid:~# ps aux | grep tomcat6
> tomcat6 3850 0.0 0.1 11172 196...

Read more...

Stéphane Graber (stgraber) wrote :

I just tried in the same VM, updating server.xml to listen on port 80 and updating /etc/default/tomcat6 to have AUTHBIND=yes
tomcat6 then started on port 80 without any issue.

Martin Pitt (pitti) on 2010-12-12
tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tomcat6 - 6.0.24-2ubuntu1.5

---------------
tomcat6 (6.0.24-2ubuntu1.5) lucid-proposed; urgency=low

  * debian/tomcat6.init: Add missing -p option in start-stop-daemon when
    starting tomcat6 to avoid failing to start due to /bin/bash running
    (LP: #632554)
 -- Michael Jeanson <email address hidden> Wed, 08 Dec 2010 11:51:33 -0500

Changed in tomcat6 (Ubuntu Lucid):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers