AUTHBIND is incorrectly configured to run Tomcat7 on port 80 or 443
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tomcat7 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Setting AUTHBIND=yes in /etc/default/
The problem is the file /etc/authbind/
0.0.0.0/0:1,1023
This only authorizes IPv4 addresses, but fails as Tomcat will typically bind to IPv4 and IPv6.
Authorizing the port range 1-1023 will not work for ports 512-1023 as the authbind man page says 512-1023 are more dangerous so require the file name to start with "!" (presumably byuid/!105).
A much better approach is to authorize Tomcat for only ports 80 (http) and 443 (https). I am sure that covers 99.999999% of use of ports <1024 so it is more secure not to authorize more.
The permissions on the file are wrong. The file only needs to be readable by root. It should not be writeable by tomcat7. That gives tomcat7 the ability to change the file to use any port <1024. The confusion is because files in /etc/authbind/
SOLUTION
The file /etc/authbind/
-rw------- 1 root root 44 Apr 11 12:30 /etc/authbind/
It should have the following content (authorizing use or ports 80 and 443 for any IPv6 or IPv4 interface):
::/0,80
::/0,443
0.0.0.0/0,80
0.0.0.0/0,443
This file should be created by the tomcat7 post-install script: /var/lib/
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: tomcat7 7.0.52-1ubuntu0.1
ProcVersionSign
Uname: Linux 3.13.0-49-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.8
Architecture: amd64
Date: Sun Apr 12 19:29:46 2015
InstallationDate: Installed on 2014-08-06 (249 days ago)
InstallationMedia: Ubuntu-Server 14.04.1 LTS "Trusty Tahr" - Release amd64 (20140722.3)
PackageArchitec
SourcePackage: tomcat7
UpgradeStatus: No upgrade log present (probably fresh install)
modified.
modified.
mtime.conffile.
The file /etc/authbind/ byuid/105 can be readable by anyone (-rw-r--r-- root root). It just should only be writeable by root.