On 4/28/23 07:52, Kirk Baker wrote:
We are running Solr 9.1 on RedHat Linux. My organization's security
requirements stipulate that all system accounts have a non-interactive
shell. When I set the 'solr' user to nologin, the solr service fails. Does
anyone have any recommendations on running solr with a nologin user?
Gus: The error message I saw was "This account is currently not available."
I found a workaround. Add "-s /bin/sh" to the su command in the init
script, which will most likely be /etc/init.d/solr unless you have
changed the service name. This is the new line ... the original is
found near the end of the script:
su -s /bin/sh -c "SOLR_INCLUDE=\"$SOLR_ENV\"
\"$SOLR_INSTALL_DIR/bin/solr\" $SOLR_CMD" - "$RUNAS"
I'm thinking we should add this to the codebase. The init script
shebang is "#!/bin/sh" so we are already assuming that this shell is
there ... which I do not think is a bad assumption. The shebang in the
solr script will find bash, so passing an explicit shell on the su
command that isn't bash will not interfere with that.
I also think that the service installer should find "nologin" and set
the solr user's shell to that, falling back to /bin/sh if it is not
found. We probably have examples in the ref guide of using su to run
bin/solr commands that will need updating with that change.
Thanks,
Shawn
