Ubuntu
tomcat6 package

Lucid Lynx authbind defaults too restrictive

Bug #594989 reported by Tom
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tomcat6 (Ubuntu)
Fix Released
Wishlist
Thierry Carrez

Bug Description

Binary package hint: tomcat6

Description: Ubuntu 10.04 LTS
Release: 10.04
package: tomcat6 version 6.0.24-2ubuntu1

Bug:

To use Tomcat6 on a port below 1023, one has to use authbind. However, /etc/authbind/byuid/106 (the default uid for the tomcat6 user is 106; could be any other number) contains the following:

0.0.0.0/32:1,1023

Which means it's possible to bind to ALL interfaces, but rules out binding to specific addresses (using Tomcat's <Connector address=...> mechanism). This seems to be incorrect; surely the latter is inherently part of the former and should also be allowed.

I would suggest changing it to

0.0.0.0/0:1,1023

Or, at the very least, to amend the comments in /etc/defaults/tomcat6 to indicate that authbind needs to be specifically told if only specific addresses need to be bound to.

Otherwise, one can spend a very long time trying to find out why one gets "Protocol handler start failed: java.net.SocketException: No such file or directory" errors.

Related branches

lp:debian/tomcat6

CVE References

Thierry Carrez (ttx)
Changed in tomcat6 (Ubuntu):
importance: Undecided → Wishlist
status: New → Confirmed
Revision history for this message
Jason Brittain (jason-brittain) wrote :

Tom:

That is in fact the behaviour I meant to configure authbind to allow -- I wanted to allow the Tomcat JVM to bind to privileged ports on any address on any NIC of the machine on which Tomcat runs. So, a network prefix of 0 is what it should use, instead of 32. Thanks for spotting that!

Thierry Carrez (ttx)
Changed in tomcat6 (Ubuntu):
importance: Wishlist → Medium
status: Confirmed → Triaged
Revision history for this message
Thierry Carrez (ttx) wrote :

Fix committed to debian java-svn

Changed in tomcat6 (Ubuntu):
assignee: nobody → Thierry Carrez (ttx)
status: Triaged → Fix Committed
importance: Medium → Wishlist
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tomcat6 - 6.0.26-5

---------------
tomcat6 (6.0.26-5) unstable; urgency=medium

  * Convert patches to dep3 format.
  * Backport security fix from trunk to fix CVE-2010-1157. (Closes: #587447)
  * Set urgency to medium due to the security fix.

tomcat6 (6.0.26-4) unstable; urgency=low

  [ Thierry Carrez ]
  * Fix issues preventing from running Tomcat6 with a security manager:
    - debian/tomcat6.init: Remove duplicate securitymanager options.
    - debian/patches/catalina-sh-security-manager.patch: Use the right
      location for the security.policy file in catalina.sh.
    - Closes: #585379, LP: #591802. Thanks to Jeff Turner for the original
      patches and to Adam Guthrie for the Lucid debdiff.
  * Allow binding to any interface when using authbind, rather than only allow
    binding to all (LP: #594989)
  * Force backgrounding of catalina.sh in start-stop-daemon, to allow the init
    script to be started through ssh -t (LP: #588481)

  [ Torsten Werner ]
  * Remove Paul from Uploaders list.
 -- Thierry Carrez <email address hidden> Tue, 13 Jul 2010 17:56:11 +0100

Changed in tomcat6 (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.