Uploaded image for project: 'JBoss Core Services'
  1. JBoss Core Services
  2. JBCS-151

JSVC not working with EAP 6 when binding to port 80 using a non-root user

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Blocker Blocker
    • None
    • jsvc 1.0.15 DR1
    • jsvc
    • None
    • Compatibility/Configuration, User Experience
    • Hide

      1) change JBoss http port to 80 using CLI
      2) create run_jsvc.sh for starting JBoss using jsvc (see attached)
      3) execute run_jsvc.sh as root, expecting to see JBoss running binding to port with user lyu

      Show
      1) change JBoss http port to 80 using CLI 2) create run_jsvc.sh for starting JBoss using jsvc (see attached) 3) execute run_jsvc.sh as root, expecting to see JBoss running binding to port with user lyu

      Customer would like to use jsvc with JBoss EAP 6 for binding to port 80 and 443 as non-root user. Testing was done using jboss-eap-6.4.0-installer.jar to install jboss 6.4.0, with openjdk and sun jdk and also jboss 6.4.7 with sun jdk only. All the tests failed with the following exception, JBoss was not able to start at port 80 with jsvc:

      13:48:32,944 ERROR [org.apache.coyote.http11.Http11Protocol] (MSC service thread 1-3) JBWEB003043: Error initializing endpoint: java.net.BindException: Permission denied /127.0.0.1:80

      Tom has the following comments

      Created By: Tom Fonteyne (07/09/2016 13:08)
      [private]

      http://git.app.eng.bos.redhat.com/git/apache/commons-daemon.git/

      only has one branch, and no tags.

      checkout remotes/origin/1.0.15.redhat

      then:

      commons-daemon/src/native/unix/native/jsvc-unix.c

      line 832:

          /* Load the service */
    if (java_load(args) != true) {
        log_debug("java_load failed");
        return 3;
    }
    else
        log_debug("java_load done");

    /* Downgrade user */
#ifdef OS_LINUX
    if (args->user && set_caps(0) != 0) {
        log_debug("set_caps (0) failed");
        return 4;
    }
#else
    if (set_user_group(args->user, uid, gid) != 0)
        return 4;
#endif

    /* Start the service */
    umask(envmask);
    if (java_start() != true) {
        log_debug("java_start failed");
        return 5;
    }
    else
        log_debug("java_start done");

      So Java gets loaded, capabilities get withdrawn, java starts.

      Double check "/proc/<pid>/status and its easy to see that the capabilities have not been inherited.

      Test 1: remove the set_cap(0)
      => port 80 works (obviously)
      => /proc/<pid>/status shows that the process still has the caps set (again, obviously) => not good as not secure.

      Solution:

          /* Load the service */
    if (java_load(args) != true) {
        log_debug("java_load failed");
        return 3;
    }
    else
        log_debug("java_load done");

    /* Start the service */
    umask(envmask);
    if (java_start() != true) {
        log_debug("java_start failed");
        return 5;
    }
    else
        log_debug("java_start done");

    /* Downgrade user */
#ifdef OS_LINUX
    if (args->user && set_caps(0) != 0) {
        log_debug("set_caps (0) failed");
        return 4;
    }
#else
    if (set_user_group(args->user, uid, gid) != 0)
        return 4;
#endif

      Now port 80 works, but more importantly /prov/<pid>/status shows that the caps have been correctly/securely removed.

      Note: there is no need to use the shell command "setcap" to modify jsvc or java itself !

      Also note: rather obviously this still means you need to start jsvc as "root" with a "-user" setting to get EAP running as a non-root user.

        1. run_jsvc.sh
          1 kB

              rhn-support-csutherl Coty Sutherland
              rhn-support-leiyu Lei Yu (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: