[Bug 538871] [NEW] authbind fail on IPv6

BJB bugeaud at gmail.com
Sun Mar 14 23:49:11 GMT 2010 

Public bug reported:

Binary package hint: authbind

Hello,

I think this package does not work with IPv6.

The problem is that a lot of server depend on this. For instance, most
Java based server running standard service (say a HTTPD, a SMTPD, etc)
on standard port (priviledged port) depend on this package to be able to
work.

At this time, there is no way to run such a server on Linux without deactivating the IPv6 feature.
(setcap is not working as well, FYI because generally speaking it has no "deep")

This is issue is blocking as the only workaround is to do a NAT port
forward (untested) that is not a clean solution IMHO.

Here are the steps :

adduser -system glassfish

Then add various "flag" like :

/etc/authbind/byport is :
-rwxr----- 1 glassfish admin 0 2010-03-14 18:04 443
-rwxr----- 1 glassfish admin 0 2010-03-13 23:05 80
/etc/authbind/byaddr is :
-rwxr----- 1 glassfish admin 0 2010-03-14 22:10 ::
-rwxr----- 1 glassfish admin 0 2010-03-14 22:09 0.0.0.0
-rwxr----- 1 glassfish admin 0 2010-03-15 00:21 ::1

I also have byuid set to check (does not change the result as well)

Here are the tests :

sudo -u glassfish authbind --deep nc -l 0.0.0.0  80
> work :)
sudo -u glassfish authbind --deep nc -l localhost  80
> work :)
sudo -u glassfish authbind --deep nc -l 127.0.0.1  80
> work :)
sudo -u glassfish authbind --deep nc -l :: 80
nc: Permission denied
sudo -u glassfish authbind --deep nc -l ::1 80
nc: Permission denied
sudo -u glassfish authbind --deep nc6 -l -p 80
nc6: bind to source :: 80 failed: Permission non accordée (aka failed !)


FYI, I have tried with byport + byaddr + byuid, all of them fail on IPv6 but succeed on IPv4.


Description:    Ubuntu 9.10
Release:        9.10

authbind:
  Installed : 1.2.0build2
  Candidate : 1.2.0build2
 Version table
 *** 1.2.0build2 0
        500 http://fr.archive.ubuntu.com karmic/main Packages
        100 /var/lib/dpkg/status

By the way it would be cool if the authbind feature would be introduced
in the kernel as this is realy an important feature and the setcap is
not suited (no "deep" feature and no way to restrict to a given user),
if I get it right.

Rgs,
JB

** Affects: authbind (Ubuntu)
     Importance: Undecided
         Status: New

-- 
authbind fail on IPv6
https://bugs.launchpad.net/bugs/538871
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to authbind in ubuntu.

More information about the Ubuntu-server-bugs mailing list