[systemd-devel] systemd service fails to start rhel7.8

Lennart Poettering lennart at poettering.net
Wed May 6 13:06:08 UTC 2020 

On Di, 05.05.20 08:48, Aviram, Nimrod (NAviram at bottomline.com) wrote:

> HI,
>
> I've been using the following service to control our catalane server for the past few years now.
> After upgrading OS to RHEL 7.8 , the service fails to start.
> I'm usually creating a basic user (cfrm) to run Catalina but I've also tried with root and received the same exception.
> I know that  something was changed in systemd but I can't figure out how to fix this.
> Any help will be appreciated.
>
> [Unit]
> Description=cfrmic
> [Service]
> User=cfrm

So, you run the service as "cfrm" user already, i.e. unprivileged.

> Environment=JAVA_HOME=$JAVA_HOME

As others mentioned, this makes no sense, unit files will not evaluate
env vars, and even if it would assigned a variable's value to the
variable is kinda pointless, no?

> May 05 04:45:13 US02VLAPP8519 su[2249]: pam_unix(su-l:auth): auth could not identify password for [cfrm]
> May 05 04:45:13 US02VLAPP8519 su[2249]: pam_sss(su-l:auth): authentication failure; logname= uid=1001 euid=0 tty= ruser=cfrm rhost= user=cfrm
> May 05 04:45:13 US02VLAPP8519 su[2249]: pam_sss(su-l:auth): received for user cfrm: 10 (User not known to the underlying authentication module)
> May 05 04:45:13 US02VLAPP8519 su[2249]: FAILED SU (to cfrm) cfrm on none
> May 05 04:45:14 US02VLAPP8519 manager.sh[2248]: Password: su:
> Authentication failure

I appears your service script uses "su" to switch to the "cfrm" user. As we noted above it is
already running as as that user, which hence makes this
pointless. This "su" fails, because no pw was supplied. Most likely
your distro changed behaviour there, i.e. previously allowed "su" from
a user to itself and now doesn't anymore. Eithre way, it's kinda
pointless doing that anyway...

In general: it's not a good idea to use "su" in shell scripts. "su"
creates login sessions, but for system stuff that's not desirable
typically. Use util-linux' setpriv(1) tool instead. But again, in this
case it's entirely pointless, …

Lennart

--
Lennart Poettering, Berlin

More information about the systemd-devel mailing list