I am trying to setup an OFBiz fork called Scipio as a service on CentOS 7.

The service wrapper script changes the user to a dedicated one for the program. All of the program's files are owned and in the group under that dedicated user name.

If I grant execute permissions on the script, have it sitting in a sub directory of the program, and log in as that dedicated user, and execute it directly like a standard bash script it functions perfectly. BUT, if I copy it to /etc/rc.d/init.d/scipio and attempt to execute it as another user (my normal account) using sudo, (executing "normally" or as service), it fails.

It looks like the error is something to the effect of:

failed to start service interactive authentication required

Here are the permissions (ls -l):

-rwxr-xr-x. 1 root root 4165 Jul  8 16:00 /etc/rc.d/init.d/scipio

Here's how I like to launch it (as a sudoer):

sudo service scipio restart

Here's the script itself:

# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements.  See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership.  The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License.  You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# KIND, either express or implied.  See the License for the
# specific language governing permissions and limitations
# under the License.
# scipio       This shell script takes care of starting and stopping
#              the Scipio ERP server
# chkconfig: 2345 80 10
# description: Scipio ERP

# Source function library
# this does not exist in Debian/Ubuntu/etc. => see  rc.ofbiz.for.debian
# => comment out and use "echo failure" and "echo success" in place of echo_failure and echo_success (minor anyway)
. /etc/rc.d/init.d/functions

# Source networking configuration
# this does not exist in Debian/Ubuntu/etc. => see  rc.ofbiz.for.debian
. /etc/sysconfig/network

# Paths - Edit for your locations

# VM Options
JAVA_VMOPTIONS="-Xms128M -Xmx1024M -XX:MaxPermSize=512M"

# Java arguments
JAVA_ARGS="-jar ofbiz.jar"

# *nix user ofbiz should run as (you must create this user first)

# OFBiz processes running
ofbizprocs() {
    OFBIZ_PROCS=`/bin/ps h -o pid,args -C java | /bin/grep -e "$JAVA_ARGS" | /bin/egrep -o "^[[:space:]]*[[:digit:]]*"`

# Checking user...
checkuser() {
    if [ "$USER" != "$OFBIZ_USER" ]; then
        echo failure
        echo "Only users root or $OFBIZ_USER should start/stop the application"
        exit 1

# Start OFBiz
start() {
    echo -n "Starting OFBiz: "
    if [ "$OFBIZ_PROCS" != "" ]; then
        echo failure
        echo "OFBiz is already running..."
        return 1

    # All clear
    cd $OFBIZ_HOME
    umask 007
    /bin/rm -f $OFBIZ_LOG
    echo success
    return 0

# Stop OFBiz
stop() {
    echo -n "Stopping OFBiz: "
    if [ "$OFBIZ_PROCS" == "" ]; then
        echo failure
        echo "OFBiz is not running..."
        return 1

    # All clear
    cd $OFBIZ_HOME
    umask 007
    if [ "$OFBIZ_PROCS" != "" ]; then
        # Let's try to -TERM
        /bin/kill -TERM $OFBIZ_PROCS
    if [ "$OFBIZ_PROCS" != "" ]; then
        # Let's try it the hard way!
        /bin/kill -9 $OFBIZ_PROCS
    if [ "$OFBIZ_PROCS" != "" ]; then
        echo failure
        echo "Some processes could not be stopped:"
        echo $OFBIZ_PROCS
        echo "A possible solution is to try this command once more!"
        return 1
        echo success
        return 0

# If root is running this script, su to $OFBIZ_USER first
# Note that under Debian/Ubuntu/etc. you should use instead
# if [ "$USER" = "root" ]; then
if [ "$UID" = "0" ]; then
    exec su - $OFBIZ_USER -c "$0 $1"

case "$1" in
        if [ "$OFBIZ_PROCS" == "" ]; then
            echo "OFBiz is stopped"
            exit 1
            echo "OFBiz is running"
            exit 0
        echo "Usage: $0 {start|stop|kill|restart|status|help}"
        exit 1
exit $?

It seems like this is a CentOS 7 specific issue. I believe the services model changed, and these init.d style scripts aren't the natural mechanism anymore. Maybe this is SELinux related?


JAVA_HOME should be defined, as I previously ran:

export JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk-

sudo sh -c "echo export JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk- >> /etc/environment"     

... I tested and confirmed that is resolving in this context.

Journaled error message

-- Unit session-c16.scope has begun starting up.
Jul 09 20:56:19 SERVERNAME-XXXX scipio[27942]: Starting scipio (via systemctl):  Failed to start scipio.service: Interactive authentication required.
Jul 09 20:56:19 SERVERNAME-XXXX scipio[27942]: See system logs and 'systemctl status scipio.service' for details.
Jul 09 20:56:19 SERVERNAME-XXXX scipio[27942]: [FAILED]
Jul 09 20:56:19 SERVERNAME-XXXX su[27942]: pam_unix(su-l:session): session closed for user scipio
Jul 09 20:56:19 SERVERNAME-XXXX systemd[1]: scipio.service: control process exited, code=exited status=1
Jul 09 20:56:19 SERVERNAME-XXXX systemd[1]: Failed to start SYSV: Scipio ERP.
-- Subject: Unit scipio.service has failed
  • 399
  • 3
  • 11
  • Do yourself a favor: Get rid of this and write a normal systemd unit. – Michael Hampton Jul 09 '18 at 23:37
  • This is not a script that I wrote. It is part of an open source software suite. Scipio is a fork from a fairly well known project called Apache OFBiz. Both provide a collection of these scripts for various Linux distros. This is the closest one for this Linux flavor. In order to upgrade in the future (as this code base is constantly evolving) I need to stick as close to the original source as possible unless I want to create a git merging nightmare for myself. – BuvinJ Jul 10 '18 at 00:13
  • There wouldn't be any git merging nightmare at all, really. And besides, you could always contribute it back to the project. – Michael Hampton Jul 10 '18 at 00:18
  • Well, I suppose. I could add a new file, to prevent a literal merge issue, but the thing that I'm worried about is when they change this script, and then I have modify this one to stay in sync with that. Unless someone else runs with it... Can you point me in the direction of writing a replacement? I've not written one in the new style yet. – BuvinJ Jul 10 '18 at 00:42
  • Hmm. For example [What's the easiest way to make my old init script work in systemd?](https://serverfault.com/q/690155/126632) which used Solr as an example but is otherwise very similar. – Michael Hampton Jul 10 '18 at 12:19
  • Excellent. Thank you. I will give that try. I'm also going to debug the original, as I'm convinced there is some contextual permissions issue. Without solving that a rewrite would probably fail too. – BuvinJ Jul 10 '18 at 14:47
  • Well, I couldn't manage to figure out a solution despite many attempts. I even found a functional example of another service on my server which launches under a dedicated user via a similar script. There must be some little security detail I'm missing. BUT - I took your advice and that worked right out of the gate! Systemd units have a simple `user` parameter, and using that I could launch this as the alternate user without an issue. Since the program comes with start/stop scripts (in addition to the old service scripts) I simply used this as a wrapper for those. – BuvinJ Jul 11 '18 at 13:06
  • If you want to post your comment as an answer, I'll mark it as accepted. – BuvinJ Jul 11 '18 at 13:06

2 Answers2


It looks to me like JAVA_HOME isn't defined. Thus, when you try to run the script, /bin/java doesn't exist, and it fails.

If you do it as a logged in user, you likely end up with that environment variable either defined in a rc file, or inherited from the user you were before changing to the service account.

Yes, CentOS 7 did switch to using systemd rather than initV -- but an initscript like that should still work even if it's deprecated.

James K
  • 111
  • 2
  • I'll try hard coding that, but it should be defined. – BuvinJ Jul 09 '18 at 20:48
  • Where would that be defined? Remember that service invocations (such as initscripts and cron entries) are usually performed in minimal environments. – James K Jul 09 '18 at 20:52
  • Note my update in the question. Also, I just tried adding that to the script, and it didn't help unfortunately. – BuvinJ Jul 09 '18 at 20:54
  • I spit that out in a log just now, and the JAVA_BINARY path is fine in that context. – BuvinJ Jul 09 '18 at 21:00
  • See my error message just posted. The issue seems to be "Interactive authentication required." Whatever that means exactly. – BuvinJ Jul 09 '18 at 21:05

Paul from Scipio ERP here. If you have any issue with the start script, it would be great if you could report it over at the Scipio ERP Community forum. We'd love to fix this for everyone!

That being said, I will open up a ticket and see that we can recreate the issue.

Thank you

  • 1
    Thanks, Paul. I was, in fact, planning to post my problem and solution over in that forum. I think that including a systemd script in Scipio would be best. I'd like to directly submit the script I'm using to the repo. – BuvinJ Jul 19 '18 at 12:22
  • That would be fantastic and really appreciated. Thank you! – Paul Piper Jul 19 '18 at 15:12