Unable to run Nexus as any user other than root

[Oliver Loftus]

Hello,

I am having trouble running the latest Nexus 2.x release as anything other than root on a CentOS 7 system.

When running Nexus as the root user, with all files owned by root, Nexus starts fine. When running Nexus as a service user, however, it does not start and gives no reason. I can trace the problem to line 295 in the Nexus startup script which tries to su to the RUN_AS_USER account, and then exits with exit code 0, but I'm not able to fix the problem. Full details of both the working and the non-working scenario are given below.

Kind regards,

Oliver

Installation details

[build1@build1 ~]$ ls -l /usr/local | grep nexus
lrwxrwxrwx. 1 root root   15 Sep 18 19:36 nexus -> nexus-2.13.0-01
drwxr-xr-x. 8 root root 4096 Apr 12 09:11 nexus-2.13.0-01

[build1@build1 ~]$ ls -l /etc/init.d/ | grep nexus
lrwxrwxrwx. 1 root root    26 Sep 18 19:40 nexus -> /usr/local/nexus/bin/nexus

1) Settings when running Nexus as root (which works)

Nexus startup script settings (/usr/local/nexus/bin/nexus)

#-----------------------------------------------------------------------------
# These settings can be modified to fit the needs of your application

# Set this to the root of the Nexus installation
NEXUS_HOME="/usr/local/nexus"

# If specified, the Wrapper will be run as the specified user.

# IMPORTANT - Make sure that the user has the required privileges to write into the Nexus installation directory.
# NOTE - This will set the user which is used to run the Wrapper as well as
#  the JVM and is not useful in situations where a privileged resource or
#  port needs to be allocated prior to the user being changed.
RUN_AS_USER=root

# Application
APP_NAME="nexus"
APP_LONG_NAME="Nexus OSS"

# Priority at which to run the wrapper.  See "man nice" for valid priorities.
#  nice is only used if a priority is specified.
PRIORITY=

# Location of the pid file.
#PIDDIR="."
# If uncommented, causes the Wrapper to be shutdown using an anchor file.
#  When launched with the 'start' command, it will also ignore all INT and
#  TERM signals.
#IGNORE_SIGNALS=true

# The following two lines are used by the chkconfig command. Change as is
#  appropriate for your application.  They should remain commented.
# chkconfig: 2345 20 80
# description: Test Wrapper Sample Application

# Do not modify anything beyond this point
#-----------------------------------------------------------------------------

Startup output

[build1@build1 ~]$ sudo service nexus start
****************************************
WARNING - NOT RECOMMENDED TO RUN AS ROOT
****************************************
Starting Nexus OSS...
Started Nexus OSS.

[build1@build1 ~]$ ps aux | grep nexus | grep -v grep
root     19210  0.0  0.0  17820   752 ?        Sl   06:42   0:00 /usr/local/nexus/bin/jsw/linux-x86-64/wrapper /usr/local/nexus/bin/jsw/conf/wrapper.conf wrapper.syslog.ident=nexus wrapper.pidfile=/usr/local/nexus/bin/jsw/linux-x86-64/nexus.pid wrapper.daemonize=TRUE wrapper.lockfile=/var/lock/subsys/nexus

root     19212  183  6.2 3258156 483340 ?      Sl   06:42   0:23 java -XX:MaxPermSize=192m -Djava.io.tmpdir=./tmp -Djava.net.preferIPv4Stack=true -Dcom.sun.jndi.ldap.connect.pool.protocol=plain ssl -Xms256m -Xmx768m -Djava.library.path=bin/jsw/lib -classpath bin/jsw/lib/wrapper-3.2.3.jar:./lib/slf4j-api-1.7.6.jar:./lib/jetty-rewrite-8.1.16.v20140903.jar:./lib/jetty-server-8.1.16.v20140903.jar:./lib/jetty-servlet-8.1.16.v20140903.jar:./lib/jetty-xml-8.1.16.v20140903.jar:./lib/logback-classic-1.1.2.jar:./lib/javax.servlet-3.0.0.v201112011016.jar:./lib/jetty-client-8.1.16.v20140903.jar:./lib/jetty-deploy-8.1.16.v20140903.jar:./lib/jetty-security-8.1.16.v20140903.jar:./lib/metrics-logback-2.2.0.jar:./lib/jetty-util-8.1.16.v20140903.jar:./lib/plexus-interpolation-1.16.jar:./lib/jetty-jmx-8.1.16.v20140903.jar:./lib/logback-access-1.1.2.jar:./lib/jetty-continuation-8.1.16.v20140903.jar:./lib/nexus-bootstrap-2.13.0-01.jar:./lib/metrics-jetty-2.2.0.jar:./lib/jetty-webapp-8.1.16.v20140903.jar:./lib/jetty-io-8.1.16.v20140903.jar:./lib/metrics-core-2.2.0.jar:./lib/logback-core-1.1.2.jar:./lib/jul-to-slf4j-1.7.6.jar:./lib/jetty-http-8.1.16.v20140903.jar:./conf/ -Dwrapper.key=Q3dmGXBZqmyXou6l -Dwrapper.port=32000 -Dwrapper.jvm.port.min=31000 -Dwrapper.jvm.port.max=31999 -Dwrapper.pid=19210 -Dwrapper.version=3.2.3 -Dwrapper.native_library=wrapper -Dwrapper.service=TRUE -Dwrapper.cpu.timeout=10 -Dwrapper.jvmid=1 org.sonatype.nexus.bootstrap.jsw.JswLauncher ./conf/jetty.xml ./conf/jetty-requestlog.xml

2) Settings when running Nexus as user nexus (which doesn't work)

Setup user and chown files

[build1@build1 ~]$ sudo adduser -r -M -s /bin/false nexus
[build1@build1 ~]$ sudo usermod -L -d /usr/local/nexus nexus
[build1@build1 ~]$ cd /usr/local
[build1@build1 local]$ sudo chown -R nexus:nexus nexus nexus-2.13.0-01 sonatype-work
[build1@build1 local]$ sudo chown nexus:nexus /etc/init.d/nexus

Change to Nexus startup script (/usr/local/nexus/bin/nexus)

RUN_AS_USER=nexus

Startup output

[build1@build1 local]$ sudo service nexus start
[build1@build1 local]$ ps aux | grep nexus | grep -v grep
[build1@build1 local]$

3) Where I think the problem is

293             # Still want to change users, recurse.  This means that the user will only be
294             #  prompted for a password once. Variables shifted by 1
295             su - $RUN_AS_USER -c "\"$REALPATH\" $2"
296
297             # Now that we are the original user again, we may need to clean up the lock file.
298             if [ "X$LOCKPROP" != "X" ]
299             then
300                 getpid
301                 if [ "X$pid" = "X" ]
302                 then
303                     # Wrapper is not running so make sure the lock file is deleted.
304                     if [ -f "$LOCKFILE" ]
305                     then
306                         rm "$LOCKFILE"
307                     fi
308                 fi
309             fi
310
311             exit 0

[Rich Seddon]

Are there any messages in the $NEXUS_HOME/log/wrapper.log file for the failed startup?

Rich

--
You received this message because you are subscribed to the Google Groups "Nexus Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nexus-users+unsubscribe@glists.sonatype.com.
To post to this group, send email to nexus...@glists.sonatype.com.
To view this discussion on the web visit https://groups.google.com/a/glists.sonatype.com/d/msgid/nexus-users/a370bae8-71e2-4f8d-8966-26330e190158%40glists.sonatype.com.
For more options, visit https://groups.google.com/a/glists.sonatype.com/d/optout.

[Oliver Loftus]

Unfortunately not. I cleared the log and started Nexus (as the nexus user) again and the log is blank.

To unsubscribe from this group and stop receiving emails from it, send an email to nexus-users...@glists.sonatype.com.

[Rich Seddon]

Try running it with "bin/nexus console" as root.

If that also doesn't produce output, then run:

sh -x bin/nexus console

That will print the shell debug output.

To unsubscribe from this group and stop receiving emails from it, send an email to nexus-users+unsubscribe@glists.sonatype.com.

To post to this group, send email to nexus...@glists.sonatype.com.

To view this discussion on the web visit https://groups.google.com/a/glists.sonatype.com/d/msgid/nexus-users/d5750104-88b9-44d1-8c66-00f85d1ec3c2%40glists.sonatype.com.

[Manfred Moser]

I think Rich meant to say to run it as the nexus user

su nexus

bin/nexus console

But I also noticed that the default shell for the user is /bin/false 

I am pretty sure it has to be /bin/sh or /bin/bash .. so a valid shell... 

Manfred

To view this discussion on the web visit https://groups.google.com/a/glists.sonatype.com/d/msgid/nexus-users/CALX_hVy8QtoqZ-xOfmsk7CxmcjF5M4uSTo%2BJX39vqw0L52nLpQ%40mail.gmail.com.

[Oliver Loftus]

Indeed the problem turned out to be the login shell. I updated the user to use /bin/bash and Nexus now starts as expected.

I was under the impression that service users should have their login shells disabled for security, but of course if the startup script is su'ing to the user to start Nexus, that's not going to work.

Thanks for your help.

To view this discussion on the web visit https://groups.google.com/a/glists.sonatype.com/d/msgid/nexus-users/d5750104-88b9-44d1-8c66-00f85d1ec3c2%40glists.sonatype.com.

For more options, visit https://groups.google.com/a/glists.sonatype.com/d/optout.