AUTHBIND is incorrectly configured to run Tomcat7 on port 80 or 443

Bug #1443041 reported by James Manger on 2015-04-12
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tomcat7 (Ubuntu)
Undecided
Unassigned

Bug Description

Setting AUTHBIND=yes in /etc/default/tomcat7 should allow Tomcat to listen on port 80 and/or 443 (when configured to do so in /etc/tomcat7/server.xml). However, it does not work.

The problem is the file /etc/authbind/byuid/105, which is created by the tomcat7 post-install script (/var/lib/dpkg/info/tomcat7.postinst lines 57-68). The content is:
  0.0.0.0/0:1,1023

This only authorizes IPv4 addresses, but fails as Tomcat will typically bind to IPv4 and IPv6.

Authorizing the port range 1-1023 will not work for ports 512-1023 as the authbind man page says 512-1023 are more dangerous so require the file name to start with "!" (presumably byuid/!105).

A much better approach is to authorize Tomcat for only ports 80 (http) and 443 (https). I am sure that covers 99.999999% of use of ports <1024 so it is more secure not to authorize more.

The permissions on the file are wrong. The file only needs to be readable by root. It should not be writeable by tomcat7. That gives tomcat7 the ability to change the file to use any port <1024. The confusion is because files in /etc/authbind/byport/ (and byaddr/) do need to be owned by the relevant user because it is the existance (not content) of those files that convey authority.

SOLUTION
The file /etc/authbind/byuid/105 (where 105 is the UID for the tomcat7 user) should have the following permissions:

-rw------- 1 root root 44 Apr 11 12:30 /etc/authbind/byuid/105

It should have the following content (authorizing use or ports 80 and 443 for any IPv6 or IPv4 interface):

::/0,80
::/0,443
0.0.0.0/0,80
0.0.0.0/0,443

This file should be created by the tomcat7 post-install script: /var/lib/dpkg/info/tomcat7.postinst.

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: tomcat7 7.0.52-1ubuntu0.1
ProcVersionSignature: Ubuntu 3.13.0-49.81-generic 3.13.11-ckt17
Uname: Linux 3.13.0-49-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.8
Architecture: amd64
Date: Sun Apr 12 19:29:46 2015
InstallationDate: Installed on 2014-08-06 (249 days ago)
InstallationMedia: Ubuntu-Server 14.04.1 LTS "Trusty Tahr" - Release amd64 (20140722.3)
PackageArchitecture: all
SourcePackage: tomcat7
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.tomcat7.server.xml: [modified]
modified.conffile..etc.tomcat7.tomcat.users.xml: [inaccessible: [Errno 13] Permission denied: '/etc/tomcat7/tomcat-users.xml']
mtime.conffile..etc.tomcat7.server.xml: 2015-04-10T17:49:05.456785

James Manger (james-h-manger) wrote :
James Manger (james-h-manger) wrote :

The file /etc/authbind/byuid/105 can be readable by anyone (-rw-r--r-- root root). It just should only be writeable by root.

Emmanuel Bourg (ebourg) wrote :

Thank you for the report James, the IPv6 fix has been applied in Debian for tomcat7 (>> 7.0.63-1) and tomcat8
(>> 8.0.24-1). The authbind file was already installed with chmod 700, so nothing to change here. I have left the port range as is to avoid breaking existing installations, but we can still reevaluate this for tomcat9.

Changed in tomcat7 (Ubuntu):
status: New → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tomcat7 - 7.0.64-1

---------------
tomcat7 (7.0.64-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Refreshed the patches
  * Install the missing WebSocket jars in /usr/share/tomcat7/lib/
    (Closes: #787220, LP: #1326687)
  * Changed the authbind configuration to allow IPv6 connections (LP: #1443041)
  * Fixed an upgrade error when /etc/tomcat7/tomcat-users.xml is removed
    (LP: #1010791)
  * Fixed a minor HTML error in the default index.html file (LP: #1236132)

 -- Emmanuel Bourg <email address hidden> Fri, 28 Aug 2015 09:47:33 +0200

Changed in tomcat7 (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers