Created attachment 1198771 [details] run_jsvc.sh Description of problem: Customer would like to use jsvc with JBoss EAP 6 for binding to port 80 and 443 as non-root user. Testing was done using jboss-eap-6.4.0-installer.jar to install jboss 6.4.0, with openjdk and sun jdk and also jboss 6.4.7 with sun jdk only. All the tests failed with the following exception, JBoss was not able to start at port 80 with jsvc: ============================ error message ============================= 13:48:32,944 ERROR [org.apache.coyote.http11.Http11Protocol] (MSC service thread 1-3) JBWEB003043: Error initializing endpoint: java.net.BindException: Permission denied /127.0.0.1:80 ======================================================================== Version-Release number of selected component (if applicable): jsvc 1.0.15 DR1 How reproducible: Always Steps to Reproduce: 1) change JBoss http port to 80 using CLI 2) create run_jsvc.sh for starting JBoss using jsvc (see attached) 3) execute run_jsvc.sh as root, expecting to see JBoss running binding to port with user jboss Actual results: Error initializing endpoint: java.net.BindException: Permission denied /127.0.0.1:80 Expected results: JBoss running as user jboss without errors Additional info: Tom has the following comments Created By: Tom Fonteyne (07/09/2016 13:08) [private] http://git.app.eng.bos.redhat.com/git/apache/commons-daemon.git/ only has one branch, and no tags. checkout remotes/origin/1.0.15.redhat then: commons-daemon/src/native/unix/native/jsvc-unix.c line 832: /* Load the service */ if (java_load(args) != true) { log_debug("java_load failed"); return 3; } else log_debug("java_load done"); /* Downgrade user */ #ifdef OS_LINUX if (args->user && set_caps(0) != 0) { log_debug("set_caps (0) failed"); return 4; } #else if (set_user_group(args->user, uid, gid) != 0) return 4; #endif /* Start the service */ umask(envmask); if (java_start() != true) { log_debug("java_start failed"); return 5; } else log_debug("java_start done"); ... So Java gets loaded, capabilities get withdrawn, java starts. Double check "/proc/<pid>/status and its easy to see that the capabilities have not been inherited. Test 1: remove the set_cap(0) => port 80 works (obviously) => /proc/<pid>/status shows that the process still has the caps set (again, obviously) => not good as not secure. Solution: /* Load the service */ if (java_load(args) != true) { log_debug("java_load failed"); return 3; } else log_debug("java_load done"); /* Start the service */ umask(envmask); if (java_start() != true) { log_debug("java_start failed"); return 5; } else log_debug("java_start done"); /* Downgrade user */ #ifdef OS_LINUX if (args->user && set_caps(0) != 0) { log_debug("set_caps (0) failed"); return 4; } #else if (set_user_group(args->user, uid, gid) != 0) return 4; #endif Now port 80 works, but more importantly /prov/<pid>/status shows that the caps have been correctly/securely removed. Note: there is no need to use the shell command "setcap" to modify jsvc or java itself ! Also note: rather obviously this still means you need to start jsvc as "root" with a "-user" setting to get EAP running as a non-root user.
Coty Sutherland <csutherl> updated the status of jira JBCS-151 to Closed