Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1373987

Summary: [GSS](6.4.z) jsvc not working with EAP 6 when binding to port 80 using a non-root user
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Lei Yu <leiyu>
Component: jbossasAssignee: Petr Jurak <pjurak>
Status: CLOSED WONTFIX QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: 6.4.9CC: bmaxwell, fnasser, jason.greene, pjurak, tfonteyn
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
RHEL 6, Fedora 23
Last Closed: 2017-06-21 06:51:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
run_jsvc.sh none

Description Lei Yu 2016-09-07 15:39:22 UTC 
Created attachment 1198771 [details]
run_jsvc.sh

Description of problem:

Customer would like to use jsvc with JBoss EAP 6 for binding to port 80 and 443 as non-root user. Testing was done using jboss-eap-6.4.0-installer.jar to install jboss 6.4.0, with openjdk and sun jdk and also jboss 6.4.7 with sun jdk only. All the tests failed with the following exception, JBoss was not able to start at port 80 with jsvc:
============================ error message =============================
13:48:32,944 ERROR [org.apache.coyote.http11.Http11Protocol] (MSC service thread 1-3) JBWEB003043: Error initializing endpoint: java.net.BindException: Permission denied /127.0.0.1:80
========================================================================

Version-Release number of selected component (if applicable):

jsvc 1.0.15 DR1 

How reproducible:

Always

Steps to Reproduce:

1) change JBoss http port to 80 using CLI
2) create run_jsvc.sh for starting JBoss using jsvc (see attached)
3) execute run_jsvc.sh as root, expecting to see JBoss running binding to port with user jboss

Actual results:

Error initializing endpoint: java.net.BindException: Permission denied /127.0.0.1:80

Expected results:

JBoss running as user jboss without errors

Additional info:

Tom has the following comments

Created By: Tom Fonteyne  (07/09/2016 13:08)
[private]

http://git.app.eng.bos.redhat.com/git/apache/commons-daemon.git/

only has one branch, and no tags.

checkout remotes/origin/1.0.15.redhat

then:

commons-daemon/src/native/unix/native/jsvc-unix.c

line 832:

    /* Load the service */
    if (java_load(args) != true) {
        log_debug("java_load failed");
        return 3;
    }
    else
        log_debug("java_load done");

    /* Downgrade user */
#ifdef OS_LINUX
    if (args->user && set_caps(0) != 0) {
        log_debug("set_caps (0) failed");
        return 4;
    }
#else
    if (set_user_group(args->user, uid, gid) != 0)
        return 4;
#endif

    /* Start the service */
    umask(envmask);
    if (java_start() != true) {
        log_debug("java_start failed");
        return 5;
    }
    else
        log_debug("java_start done");
...

So Java gets loaded, capabilities get withdrawn, java starts.

Double check "/proc/<pid>/status   and its easy to see that the capabilities have not been inherited.

Test 1: remove the set_cap(0)
=> port 80 works (obviously)
=> /proc/<pid>/status   shows that the process still has the caps set (again, obviously) => not good as not secure.

Solution:

    /* Load the service */
    if (java_load(args) != true) {
        log_debug("java_load failed");
        return 3;
    }
    else
        log_debug("java_load done");

    /* Start the service */
    umask(envmask);
    if (java_start() != true) {
        log_debug("java_start failed");
        return 5;
    }
    else
        log_debug("java_start done");

    /* Downgrade user */
#ifdef OS_LINUX
    if (args->user && set_caps(0) != 0) {
        log_debug("set_caps (0) failed");
        return 4;
    }
#else
    if (set_user_group(args->user, uid, gid) != 0)
        return 4;
#endif

Now port 80 works, but more importantly /prov/<pid>/status   shows that the caps have been correctly/securely removed.


Note: there is no need to use the shell command "setcap" to modify jsvc or java itself !

Also note: rather obviously this still means you need to start jsvc as "root" with a "-user" setting to get EAP running as a non-root user.
Comment 1 JBoss JIRA Server 2016-10-07 12:23:14 UTC 
Coty Sutherland <csutherl> updated the status of jira JBCS-151 to Closed