Bug 899476 (JBEWS-371)

Summary: EWS: decide if jsvc should have capability support
Product: [JBoss] JBoss Enterprise Web Server 1 Reporter: Tomas Hoger <thoger>
Component: unspecifiedAssignee: Permaine Cheung <pcheung>
Status: CLOSED EOL QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: EWS 1.0.2CC: csutherl, mturk, weli
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
URL: http://jira.jboss.org/jira/browse/JBEWS-371
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 899477 (view as bug list) Environment:
Last Closed: 2017-08-04 15:03:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Hoger 2011-08-18 09:17:02 UTC 
project_key: JBEWS

A flaw was recently reported for apache-/jakarta-commons-daemon jsvc:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2729

It only affected Linux builds that were compiled with libcap support.  While investigating which EWS versions are affected, it was determined that we have libcap support in RHEL-4 version, but not in RHEL-5 and RHEL-6.  It should be determined whether jsvc should be compiled with libcap support or not, and be consistent across RHEL versions (i.e. explicitly disable in .spec file, or add proper BuildRequires to have libcap-devel in RHEL-5 and RHEL-6 buildroots too).

As part of response to CVE-2011-2729, we're disabling libcap support in 1.0.2 RHEL-4 builds, for consistency with RHEL-5/6.
Comment 1 Permaine Cheung 2011-08-18 14:27:17 UTC 
Malden, can you shed some light on whether if we should build with libcap support or not? We should then sync all builds to make sure they all behave in the same manner. Thanks!
Comment 2 Mladen Turk 2011-08-18 16:18:08 UTC 
We should definitely *use* libpcap on linux.
The soution would be to implement the patch [1] instead disabling libpcap!

Using libpcap is truly what jsvc is meant to be used for on unixes and that
is to allow to bind to the port 80 while running as non root user.
Using libcap is also more secure solution cause binding is done after seteuid() call
unlike on other unixes that don't have libcap where it can be done only as root.
So without libcap Tomcat runs as root until initialized and then it switches the user,
while with libcap it runs as target user with elevated privileges and the drops the
capabilities after initialized.

[1] https://svn.apache.org/viewvc/commons/proper/daemon/trunk/src/native/unix/native/jsvc-unix.c?r1=1130635&r2=1152701&view=patch
Comment 3 Jiri Skrabal 2012-11-13 16:27:39 UTC 
Docs QE Status: Removed: NEW