subject:"Re\: For some reason, the AUTHBIND approach isn't working with 8.5"

Re: SOLVED, Re: For some reason, the AUTHBIND approach isn't working with 8.5

2017-09-07 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

James,

On 9/7/17 12:18 PM, James H. H. Lampert wrote:
> Emmanuel Bourg wrote:
>>> You didn't change the TOMCAT8_USER variable in
>>> /etc/default/tomcat8 and authbind is installed, right?
>>> 
>>> What is the output of (as root):
>>> 
>>> su tomcat8 -s /bin/bash -c "authbind --deep /bin/bash -c
>>> 'netcat -v -p 443 -l'"
> and my reply ended:
>> The only difference I see is the home directories.
> 
> I found another difference.
> 
> I looked at the man page for authbind. Then I looked at the
> contents of /etc/authbind.
> 
> It seems that /etc/authbind/byport/443 has owner "tomcat7," group 
> "root," and mode 500. As soon as I changed that to group "tomcat8"
> and mode 550,
>> sudo -u tomcat8 -s /bin/bash -c "authbind --deep /bin/bash -c
>> 'netcat -v -p 443 -l'"
> no longer came back with "Permission denied," and when I put Tomcat
> 8.5 on port 443 and restarted Tomcat 8.5, it started right up
> without further complaint.

Glad to hear that.

I've not used authbind, but I believe you can configure things in more
than one way (i.e. /etc/authbind/byport versus /etc/authbind/byuid).
I'll bet there is an order of preference, and that
/etc/authbind/byport overrides /etc/authbind/byuid.

I think you may want to remove /etc/authbind/byport/443 altogether and
allow the /etc/authbind/byuid configuration to handle everything.

NB I would recommend, at least in production, that you limit the ports
to which Tomcat is allowed to bind to the ports you actually need, and
not 1-1023. Just In Case.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZsb/DAAoJEBzwKT+lPKRYeIwQAMfxev49BAcvfU5wn8TpGAt0
5uJNJ3FQy4fq6okPiFO14ZAtir/mMJqaIPZDrxAAAi5/oYUf91NCfkXa6jJzqnnO
3BxSczzu9PAM/TNUzvhViiXmfGCMu5Mivu5OUubhlqib98Av9Zih+bfesJiH2xUG
xBfURVOmLUq0MgYxadSmBJ9pNBzf6Jtu+wQa4Xd/O7+cgg406HXyorx/kPjfT1Nx
0YLdDBR7cvfZw0+4LLNpKGEY0MzETmGFi6Ia1QDUyucR1dzSI72a+LQqQkcr9gt0
xShL9f3d04HkCURWGHVIANVb1bsnNbXLFpWEY8P6TglJ9cLmmGB0ktTgFmA2hXe9
5NjDmEXSJkS6dNe2aD9Z0Z3bYGOFtlvYJlcmgn9e6hicBZkHF0vUUBom0J5Luro6
VvcubC8GYzfcQjm8mkYjvJgrGMMYo+XWhNu6oSH4l1R+tyVlmTwTZRGusu+v2kxp
aJfwrXAjoiMnMyOZNwH+x5/e3tiiiw1/uonrLZMDVf5eq6yiLcwILd5MP0Jx4NGX
kmqdyQka8c1SdHAq31c4AHfD9YtrQ5lTWXwgyt9s46Hb2FN9m3WN6HKnos6YuPqs
bbl+EFynsy9oA4NsQgUMgha5W2y98e7kznwNlQkIcwlFssIzzZ114GNZKNjdYlRK
uJlFBYYVIpZ7B4yM9oAV
=IxQn
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: For some reason, the AUTHBIND approach isn't working with 8.5

2017-09-07 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Guang,

On 9/7/17 3:22 AM, Guang Chao wrote:
> On Thu, Sep 7, 2017 at 8:02 AM, James H. H. Lampert < 
> jam...@touchtonecorp.com> wrote:
> 
>> A little over a month ago, I had a problem with getting Tomcat 7
>> to bind to port 443 on Debian.
>> 
>> We solved that problem with the "authbind" approach.
>> 
>> Now, I'm attempting to do the same with Tomcat 8.5, and it's not
>> working.
>> 
>> 06-Sep-2017 23:47:46.293 SEVERE [main]
>> org.apache.coyote.AbstractProtocol.init
>>> Failed to initialize end point associated with ProtocolHandler 
>>> ["https-jsse-nio-443"] java.net.SocketException: Permission
>>> denied [snip]
> 
> You can not use port below 1024 if service is non root.

This is not true.

Authbind exists solely for the purpose of making your above statement
not true.

> You can use routing via iptables

Not necessary. Authbind should work.

> Another option is have a reverse proxy, e.g. nginx listening on
> 443 fronting your tomcat listening on a higher port.

Not necessary. Authbind should work.

- -chris


-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZsb72AAoJEBzwKT+lPKRY4kIP/RZEYZU5kvkCvj0P4xBMnqlg
5VsNoakhDYMfrFiuUOv07fa7FMe/3CRB9XGsgvxalb64rubSlW2Sv9GuimiVQOxA
1CTw/0jpG3hRhfni3sm+j3Jt4SyupZGnMTA0qmJ5L2SLCD649lBBeVYT0pVHGGeq
MjxxtLSlq3dc+/N/txOTbA4g1DFdGq7RWtDClZFn0WC7KKP85K1Nihy9ks+eM8kE
FaD6OSNm4qQp9z4ndMVRl3qFTpa9FgjfTHnTbBvqh9DiSK4yGtbIPlB8gOvo1SRe
jV07adGTv1k+4YE01fNL/4ux5BiuhhPkxymKPuGl2SEl6Fe+6JRxy/1Yj4ZyUJVA
LGhMjR4FeguSq5aMY+f/ZOgUZnDk3XyWsZCf46NESacUFkUoo/NU7U2EwJHq4LT3
AxOd8IQoHR0/nHnLJc5uKlwh9m7xnS0Ut7h9u67YtJz01Ty5QQWnDaIlqiadpU1C
4mgYggSyDyBFyo17xph1lfCDuX8Pa8l59ENq4lWdZj0xdwQuHdkhr1SpvBWB4fj/
EeALJW34jkaAh7fc04ax5V9DB7dBKe3MxVtIEpaA1ULW2b4mQpucBe4fnipMESwR
IXK4JCJnrnDrCRFwp8uKukQd50rlGIRWkuIfoIDdiLN45vD50g6zP6G3vvWFTNYb
mA57urLiLLRdPuQDNrd7
=Jpc6
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

SOLVED, Re: For some reason, the AUTHBIND approach isn't working with 8.5

2017-09-07 Thread James H. H. Lampert


Emmanuel Bourg wrote:

You didn't change the TOMCAT8_USER variable in /etc/default/tomcat8 and
authbind is installed, right?

What is the output of (as root):

su tomcat8 -s /bin/bash -c "authbind --deep /bin/bash -c 'netcat -v -p
443 -l'"

and my reply ended:

The only difference I see is the home directories.


I found another difference.

I looked at the man page for authbind. Then I looked at the contents of 
/etc/authbind.


It seems that /etc/authbind/byport/443 has owner "tomcat7," group 
"root," and mode 500. As soon as I changed that to group "tomcat8" and 
mode 550,

sudo -u tomcat8 -s /bin/bash -c "authbind --deep /bin/bash -c 'netcat -v -p 443 
-l'"
no longer came back with "Permission denied," and when I put Tomcat 8.5 
on port 443 and restarted Tomcat 8.5, it started right up without 
further complaint.


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: For some reason, the AUTHBIND approach isn't working with 8.5

2017-09-07 Thread James H. H. Lampert


On 9/7/17, 3:15 AM, Emmanuel Bourg wrote:

You didn't change the TOMCAT8_USER variable in /etc/default/tomcat8 and
authbind is installed, right?

What is the output of (as root):

su tomcat8 -s /bin/bash -c "authbind --deep /bin/bash -c 'netcat -v -p 443 -l'"
Well, all that does is ask me for a nonexistent password (Google Compute 
instances are ssh-by-keypair only), but if I change the su to a sudo, then:

jamesl@x:~$ sudo -u tomcat8 -s /bin/bash -c "authbind --deep /bin/bash -c 
'netcat -v -p 443 -l'"
Can't grab 0.0.0.0:443 with bind : Permission denied
jamesl@x:~$ sudo -s /bin/bash -c "authbind --deep /bin/bash -c 'netcat -v -p 443 
-l'"
listening on [any] 443 ...
^C
jamesl@x:~$ sudo -u tomcat7 -s /bin/bash -c "authbind --deep /bin/bash -c 
'netcat -v -p 443 -l'"
listening on [any] 443 ...
^C


So apparently, there's something different between the tomcat7 and 
tomcat8 user profiles that's killing authbind.


From /etc/passwd:

tomcat7:x:107:113::/usr/share/tomcat7:/bin/false

. . .

tomcat8:x:109:115::/var/lib/tomcat8:/bin/false


The only places "tomcat7" and "tomcat8" appear in /etc/group are:

tomcat7:x:113:

. . .

tomcat8:x:115:


The only difference I see is the home directories.
--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: For some reason, the AUTHBIND approach isn't working with 8.5

2017-09-07 Thread Emmanuel Bourg

Le 7/09/2017 à 02:02, James H. H. Lampert a écrit :

> Now, I'm attempting to do the same with Tomcat 8.5, and it's not working.
> 
> 
> I think I did everything the same as before. I uncommented AUTHBIND in
> /etc/default/tomcat8, and set it to "AUTHBIND=yes"; an
> /etc/authbind/byuid/109 (the uid of the tomcat8 user) was generated with
> contents
> 
> and yet still, I get the stack trace given above.

Hi James,

You didn't change the TOMCAT8_USER variable in /etc/default/tomcat8 and
authbind is installed, right?

What is the output of (as root):

su tomcat8 -s /bin/bash -c "authbind --deep /bin/bash -c 'netcat -v -p 443 -l'"

Emmanuel Bourg

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: For some reason, the AUTHBIND approach isn't working with 8.5

2017-09-07 Thread Guang Chao

On Thu, Sep 7, 2017 at 8:02 AM, James H. H. Lampert <
jam...@touchtonecorp.com> wrote:

> A little over a month ago, I had a problem with getting Tomcat 7 to bind
> to port 443 on Debian.
>
> We solved that problem with the "authbind" approach.
>
> Now, I'm attempting to do the same with Tomcat 8.5, and it's not working.
>
> 06-Sep-2017 23:47:46.293 SEVERE [main] org.apache.coyote.AbstractProtocol.init
>> Failed to initialize end point associated with ProtocolHandler
>> ["https-jsse-nio-443"]
>>  java.net.SocketException: Permission denied
>> at sun.nio.ch.Net.bind0(Native Method)
>> at sun.nio.ch.Net.bind(Net.java:463)
>> at sun.nio.ch.Net.bind(Net.java:455)
>> at sun.nio.ch.ServerSocketChannelImpl.bind(ServerSocketChannelI
>> mpl.java:223)
>> at sun.nio.ch.ServerSocketAdaptor.bind(ServerSocketAdaptor.
>> java:74)
>> at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java
>> :210)
>> at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEnd
>> point.java:970)
>> at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(Abstrac
>> tJsseEndpoint.java:244)
>> at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.
>> java:613)
>> at org.apache.coyote.http11.AbstractHttp11Protocol.init(Abstrac
>> tHttp11Protocol.java:66)
>> at org.apache.catalina.connector.Connector.initInternal(Connect
>> or.java:968)
>> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.
>> java:107)
>> at org.apache.catalina.core.StandardService.initInternal(Standa
>> rdService.java:549)
>> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.
>> java:107)
>> at org.apache.catalina.core.StandardServer.initInternal(Standar
>> dServer.java:875)
>> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.
>> java:107)
>> at org.apache.catalina.startup.Catalina.load(Catalina.java:607)
>> at org.apache.catalina.startup.Catalina.load(Catalina.java:630)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce
>> ssorImpl.java:57)
>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>> thodAccessorImpl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:606)
>> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
>> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
>>
>
You can not use port below 1024 if service is non root.
You can use routing via iptables
Another option is have a reverse proxy, e.g. nginx listening on 443
fronting your tomcat listening on a higher port.


>
> I think I did everything the same as before. I uncommented AUTHBIND in
> /etc/default/tomcat8, and set it to "AUTHBIND=yes"; an
> /etc/authbind/byuid/109 (the uid of the tomcat8 user) was generated with
> contents
>
>> 0.0.0.0/0:1,1023
>> ::/0,1-1023
>>
>
> and yet still, I get the stack trace given above.
>
> --
> JHHL
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>


-- 
Guang

Re: SOLVED, Re: For some reason, the AUTHBIND approach isn't working with 8.5

Re: For some reason, the AUTHBIND approach isn't working with 8.5

SOLVED, Re: For some reason, the AUTHBIND approach isn't working with 8.5

Re: For some reason, the AUTHBIND approach isn't working with 8.5

Re: For some reason, the AUTHBIND approach isn't working with 8.5

Re: For some reason, the AUTHBIND approach isn't working with 8.5

6 matches

Site Navigation

Mail list logo

Footer information