++ This bug is a clone of bug 899476 ++ project_key: JBEWS A flaw was recently reported for apache-/jakarta-commons-daemon jsvc: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2729 It only affected Linux builds that were compiled with libcap support. While investigating which EWS versions are affected, it was determined that we have libcap support in RHEL-4 version, but not in RHEL-5 and RHEL-6. It should be determined whether jsvc should be compiled with libcap support or not, and be consistent across RHEL versions (i.e. explicitly disable in .spec file, or add proper BuildRequires to have libcap-devel in RHEL-5 and RHEL-6 buildroots too). As part of response to CVE-2011-2729, we're disabling libcap support in 1.0.2 RHEL-4 builds, for consistency with RHEL-5/6.
Malden, can you shed some light on whether if we should build with libcap support or not? We should then sync all builds to make sure they all behave in the same manner. Thanks!
We should definitely *use* libpcap on linux. The soution would be to implement the patch [1] instead disabling libpcap! Using libpcap is truly what jsvc is meant to be used for on unixes and that is to allow to bind to the port 80 while running as non root user. Using libcap is also more secure solution cause binding is done after seteuid() call unlike on other unixes that don't have libcap where it can be done only as root. So without libcap Tomcat runs as root until initialized and then it switches the user, while with libcap it runs as target user with elevated privileges and the drops the capabilities after initialized. [1] https://svn.apache.org/viewvc/commons/proper/daemon/trunk/src/native/unix/native/jsvc-unix.c?r1=1130635&r2=1152701&view=patch
Docs QE Status: Removed: NEW
Can we close this as Mladen indicated that we should keep using libcap on linux, and the fix mentioned has been fixed with the patch?
I have not looked what changed since this bug was filed, but at the time only RHEL-4 version had libcap support. RHEL-5 and RHEL-6 versions did not have it because of missing BuildRequires. So it seems we should check if all is now built with libcap support before closing.
I'll check it.
I've checked EL5/6 source base and: - R: libcap-devel is found in spec for both branches I believe this is correct. - I've checked the code in sources and seems the source code has changed a lot compared with the patch link you've provided. I've discussed this with Permaine and seems because of the version is newer so the libcap support code has been refactored and it's already included. - For Windows/Solaris part, here is Mladen's comment: "We would need to upgrade to daemon-1.0.15 It's been voted today so I'll create ANN message tomorrow. It has some regression fixes, and no patches would be needed."
vote for 2.0.1
Is there any testing that would be needed from QA side? As QA understands the issue, it is up to devel to assert that jsvc is compiled with libcap support.
jsvc is not linked with libcap, rather it dynamically loads it. However .rpm must ensure that libcap is package dependency so it gets installed if not on the system already
@David, can you provide CCFR
Thank you very much, Jean-Frederic!
I don't understand this issue very much. What distribution is it related to? RPM, ZIP or both? Also, what steps should be taken to verify this issue? Based on comment #2 I think the following scenario should happen: 1. modify conf/server.xml so that tomcat binds to port 80 instead of 8080 2. login as a non-root user and start tomcat via jsvc 3. verify tomcat is binded to port 80 (curl httpd://localhost:80) I've tried this on ZIP distro (jboss-ews-application-servers-2.0.1-CR1-RHEL6-x86_64.zip): jsvc command (substitute $TOMCAT with actual tomcat location): $TOMCAT/bin/jsvc -showversion -cp $TOMCAT/bin/bootstrap.jar \ -outfile $TOMCAT/logs/catalina.out \ -errfile $TOMCAT/logs/catalina.err \ -pidfile $TOMCAT/tomcat6.pid \ -Dcatalina.home=$TOMCAT \ -Djava.io.tmpdir=$TOMCAT/temp \ -jvm server org.apache.catalina.startup.Bootstrap but I get the following: Jun 07, 2013 2:40:09 PM org.apache.coyote.http11.Http11Protocol start SEVERE: Error starting endpoint java.net.BindException: Permission denied <null>:80 I've also tried this on RPM (with 8080 as tomcat port just to try if jsvc works): /sbin/runuser -s /bin/sh - tomcat \ -c "/usr/bin/jsvc-eap6/jsvc -showversion -cp /usr/share/tomcat6/bin/bootstrap.jar -outfile /usr/share/tomcat6/logs/catalina.out -errfile /usr/share/tomcat6/logs/catalina.err -pidfile /usr/share/tomcat6/logs/tomcat6.pid -Dcatalina.home=/usr/share/tomcat6 -Djava.io.temp=/usr/share/tomcat6/temp -jvm server org.apache.catalina.startup.Bootstrap" and I am presented with same error: Jun 07, 2013 9:28:00 AM org.apache.coyote.http11.Http11AprProtocol init SEVERE: Error initializing endpoint java.lang.Exception: Socket bind failed: [13] Permission denied
jsvc should be run as root. The libcap stuff is Linux specific it should be in all linux distributions RPM and ZIP.
VERIFIED on: tomcat6-6.0.37-3_patch_01.ep6.el5 tomcat7-7.0.40-2_patch_01.ep6.el5 tomcat6-6.0.37-3_patch_01.ep6.el6 tomcat7-7.0.40-1_patch_01.ep6.el6 jboss-ews-application-servers-2.0.1-CR1-RHEL5-i386.zip jboss-ews-application-servers-2.0.1-CR1-RHEL5-x86_64.zip jboss-ews-application-servers-2.0.1-CR1-RHEL6-i386.zip jboss-ews-application-servers-2.0.1-CR1-RHEL6-x86_64.zip
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days