Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 899477

Summary: EWS: decide if jsvc should have capability support
Product: [JBoss] JBoss Enterprise Web Server 2 Reporter: Tomas Hoger <thoger>
Component: tomcat6, tomcat7Assignee: David Knox <dknox>
Status: CLOSED CURRENTRELEASE QA Contact: Libor Fuka <lfuka>
Severity: medium Docs Contact:
Priority: medium    
Version: 2.0.0CC: jclere, jdoyle, lfuka, majoshi, mhasko, mhusnain, mturk, pcheung, pslavice, rsvoboda, weli
Target Milestone: ---Flags: mturk: needinfo-
Target Release: 2.0.1   
Hardware: Unspecified   
OS: Unspecified   
URL: http://jira.jboss.org/jira/browse/JBEWS-371
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
JBoss Enterprise Web Server 2.0's version of jsvc did not include libcap support. Additionally, CVE-2011-2729 prevents the use of libcap support as expected when included. As a result, it is not possible to start Tomcat as a root user and then downgrade it using the Linux capabilities library. The commons daemon code is now fixed and JBoss Enterprise Web Server 2.0.1 includes libcap. As a result, using jsvc now works as expected.
 Story Points: ---
Clone Of: JBEWS-371 Environment:
Last Closed: 2014-01-03 12:58:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Hoger 2011-08-18 09:17:02 UTC 
++ This bug is a clone of bug 899476 ++

project_key: JBEWS

A flaw was recently reported for apache-/jakarta-commons-daemon jsvc:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2729

It only affected Linux builds that were compiled with libcap support.  While investigating which EWS versions are affected, it was determined that we have libcap support in RHEL-4 version, but not in RHEL-5 and RHEL-6.  It should be determined whether jsvc should be compiled with libcap support or not, and be consistent across RHEL versions (i.e. explicitly disable in .spec file, or add proper BuildRequires to have libcap-devel in RHEL-5 and RHEL-6 buildroots too).

As part of response to CVE-2011-2729, we're disabling libcap support in 1.0.2 RHEL-4 builds, for consistency with RHEL-5/6.
Comment 1 Permaine Cheung 2011-08-18 14:27:17 UTC 
Malden, can you shed some light on whether if we should build with libcap support or not? We should then sync all builds to make sure they all behave in the same manner. Thanks!
Comment 2 Mladen Turk 2011-08-18 16:18:08 UTC 
We should definitely *use* libpcap on linux.
The soution would be to implement the patch [1] instead disabling libpcap!

Using libpcap is truly what jsvc is meant to be used for on unixes and that
is to allow to bind to the port 80 while running as non root user.
Using libcap is also more secure solution cause binding is done after seteuid() call
unlike on other unixes that don't have libcap where it can be done only as root.
So without libcap Tomcat runs as root until initialized and then it switches the user,
while with libcap it runs as target user with elevated privileges and the drops the
capabilities after initialized.

[1] https://svn.apache.org/viewvc/commons/proper/daemon/trunk/src/native/unix/native/jsvc-unix.c?r1=1130635&r2=1152701&view=patch
Comment 3 Jiri Skrabal 2012-11-13 16:27:39 UTC 
Docs QE Status: Removed: NEW
Comment 4 Permaine Cheung 2013-03-21 13:01:24 UTC 
Can we close this as Mladen indicated that we should keep using libcap on linux, and the fix mentioned has been fixed with the patch?
Comment 5 Tomas Hoger 2013-03-21 15:41:39 UTC 
I have not looked what changed since this bug was filed, but at the time only RHEL-4 version had libcap support.  RHEL-5 and RHEL-6 versions did not have it because of missing BuildRequires.  So it seems we should check if all is now built with libcap support before closing.
Comment 6 Weinan Li 2013-03-29 11:26:11 UTC 
I'll check it.
Comment 7 Weinan Li 2013-04-02 15:19:21 UTC 
I've checked EL5/6 source base and:
- R: libcap-devel is found in spec for both branches
 I believe this is correct.

- I've checked the code in sources and seems the source code has changed a lot compared with the patch link you've provided. I've discussed this with Permaine and seems because of the version is newer so the libcap support code has been refactored and it's already included.

- For Windows/Solaris part, here is Mladen's comment:

"We would need to upgrade to daemon-1.0.15
It's been voted today so I'll create ANN message tomorrow.
It has some regression fixes, and no patches would be needed."
Comment 8 Weinan Li 2013-04-02 15:21:49 UTC 
vote for 2.0.1
Comment 9 Michal Haško 2013-04-18 07:51:07 UTC 
Is there any testing that would be needed from QA side?
As QA understands the issue, it is up to devel to assert that jsvc is compiled with libcap support.
Comment 10 Mladen Turk 2013-04-18 13:02:44 UTC 
jsvc is not linked with libcap, rather it dynamically loads it.
However .rpm must ensure that libcap is package dependency so it gets installed if not on the system already
Comment 11 Mandar Joshi 2013-05-16 12:53:59 UTC 
@David, can you provide CCFR
Comment 13 Misha H. Ali 2013-06-01 05:14:33 UTC 
Thank you very much, Jean-Frederic!
Comment 18 Michal Haško 2013-06-07 13:34:16 UTC 
I don't understand this issue very much. What distribution is it related to? RPM, ZIP or both?

Also, what steps should be taken to verify this issue?
Based on comment #2 I think the following scenario should happen:
 1. modify conf/server.xml so that tomcat binds to port 80 instead of 8080
 2. login as a non-root user and start tomcat via jsvc
 3. verify tomcat is binded to port 80 (curl httpd://localhost:80)

I've tried this on ZIP distro (jboss-ews-application-servers-2.0.1-CR1-RHEL6-x86_64.zip):
jsvc command (substitute $TOMCAT with actual tomcat location):
    $TOMCAT/bin/jsvc -showversion
                     -cp $TOMCAT/bin/bootstrap.jar \
                     -outfile $TOMCAT/logs/catalina.out \
                     -errfile $TOMCAT/logs/catalina.err \
                     -pidfile $TOMCAT/tomcat6.pid \
                     -Dcatalina.home=$TOMCAT \
                     -Djava.io.tmpdir=$TOMCAT/temp \
                     -jvm server org.apache.catalina.startup.Bootstrap

but I get the following:
Jun 07, 2013 2:40:09 PM org.apache.coyote.http11.Http11Protocol start
SEVERE: Error starting endpoint
java.net.BindException: Permission denied <null>:80



I've also tried this on RPM (with 8080 as tomcat port just to try if jsvc works):
  /sbin/runuser -s /bin/sh - tomcat \
  -c "/usr/bin/jsvc-eap6/jsvc -showversion
                              -cp /usr/share/tomcat6/bin/bootstrap.jar
                              -outfile /usr/share/tomcat6/logs/catalina.out
                              -errfile /usr/share/tomcat6/logs/catalina.err
                              -pidfile /usr/share/tomcat6/logs/tomcat6.pid
                              -Dcatalina.home=/usr/share/tomcat6
                              -Djava.io.temp=/usr/share/tomcat6/temp
                              -jvm server org.apache.catalina.startup.Bootstrap"

and I am presented with same error:
Jun 07, 2013 9:28:00 AM org.apache.coyote.http11.Http11AprProtocol init
SEVERE: Error initializing endpoint
java.lang.Exception: Socket bind failed: [13] Permission denied
Comment 19 Jean-frederic Clere 2013-06-07 13:50:33 UTC 
jsvc should be run as root.
The libcap stuff is Linux specific it should be in all linux distributions RPM and ZIP.
Comment 20 Michal Haško 2013-06-10 09:02:01 UTC 
VERIFIED on:

tomcat6-6.0.37-3_patch_01.ep6.el5
tomcat7-7.0.40-2_patch_01.ep6.el5

tomcat6-6.0.37-3_patch_01.ep6.el6
tomcat7-7.0.40-1_patch_01.ep6.el6

jboss-ews-application-servers-2.0.1-CR1-RHEL5-i386.zip
jboss-ews-application-servers-2.0.1-CR1-RHEL5-x86_64.zip

jboss-ews-application-servers-2.0.1-CR1-RHEL6-i386.zip
jboss-ews-application-servers-2.0.1-CR1-RHEL6-x86_64.zip
Comment 25 Red Hat Bugzilla 2023-09-14 01:40:21 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days