[Bug 1443041] [NEW] AUTHBIND is incorrectly configured to run Tomcat7 on port 80 or 443

James Manger james.h.manger at team.telstra.com
Sun Apr 12 10:02:59 UTC 2015 

Public bug reported:

Setting AUTHBIND=yes in /etc/default/tomcat7 should allow Tomcat to
listen on port 80 and/or 443 (when configured to do so in
/etc/tomcat7/server.xml). However, it does not work.

The problem is the file /etc/authbind/byuid/105, which is created by the tomcat7 post-install script (/var/lib/dpkg/info/tomcat7.postinst lines 57-68). The content is:
  0.0.0.0/0:1,1023

This only authorizes IPv4 addresses, but fails as Tomcat will typically
bind to IPv4 and IPv6.

Authorizing the port range 1-1023 will not work for ports 512-1023 as
the authbind man page says 512-1023 are more dangerous so require the
file name to start with "!" (presumably byuid/!105).

A much better approach is to authorize Tomcat for only ports 80 (http)
and 443 (https). I am sure that covers 99.999999% of use of ports <1024
so it is more secure not to authorize more.

The permissions on the file are wrong. The file only needs to be
readable by root. It should not be writeable by tomcat7. That gives
tomcat7 the ability to change the file to use any port <1024. The
confusion is because files in /etc/authbind/byport/ (and byaddr/) do
need to be owned by the relevant user because it is the existance (not
content) of those files that convey authority.

SOLUTION
The file /etc/authbind/byuid/105 (where 105 is the UID for the tomcat7 user) should have the following permissions:
 
-rw------- 1 root root 44 Apr 11 12:30 /etc/authbind/byuid/105

It should have the following content (authorizing use or ports 80 and
443 for any IPv6 or IPv4 interface):

::/0,80
::/0,443
0.0.0.0/0,80
0.0.0.0/0,443

This file should be created by the tomcat7 post-install script:
/var/lib/dpkg/info/tomcat7.postinst.

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: tomcat7 7.0.52-1ubuntu0.1
ProcVersionSignature: Ubuntu 3.13.0-49.81-generic 3.13.11-ckt17
Uname: Linux 3.13.0-49-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.8
Architecture: amd64
Date: Sun Apr 12 19:29:46 2015
InstallationDate: Installed on 2014-08-06 (249 days ago)
InstallationMedia: Ubuntu-Server 14.04.1 LTS "Trusty Tahr" - Release amd64 (20140722.3)
PackageArchitecture: all
SourcePackage: tomcat7
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.tomcat7.server.xml: [modified]
modified.conffile..etc.tomcat7.tomcat.users.xml: [inaccessible: [Errno 13] Permission denied: '/etc/tomcat7/tomcat-users.xml']
mtime.conffile..etc.tomcat7.server.xml: 2015-04-10T17:49:05.456785

** Affects: tomcat7 (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug trusty

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to tomcat7 in Ubuntu.
https://bugs.launchpad.net/bugs/1443041

Title:
  AUTHBIND is incorrectly configured to run Tomcat7 on port 80 or 443

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1443041/+subscriptions

More information about the Ubuntu-server-bugs mailing list