Ubuntu
authbind package

authbind fail on IPv6

Bug #538871 reported by BJB
30
This bug affects 5 people
Affects Status Importance Assigned to Milestone
authbind (Debian)
Fix Released
Unknown
authbind (Ubuntu)
Confirmed
Wishlist
Unassigned

Bug Description

Binary package hint: authbind

Hello,

I think this package does not work with IPv6.

The problem is that a lot of server depend on this. For instance, most Java based server running standard service (say a HTTPD, a SMTPD, etc) on standard port (priviledged port) depend on this package to be able to work.

At this time, there is no way to run such a server on Linux without deactivating the IPv6 feature.
(setcap is not working as well, FYI because generally speaking it has no "deep")

This is issue is blocking as the only workaround is to do a NAT port forward (untested) that is not a clean solution IMHO.

Here are the steps :

adduser -system glassfish

Then add various "flag" like :

/etc/authbind/byport is :
-rwxr----- 1 glassfish admin 0 2010-03-14 18:04 443
-rwxr----- 1 glassfish admin 0 2010-03-13 23:05 80
/etc/authbind/byaddr is :
-rwxr----- 1 glassfish admin 0 2010-03-14 22:10 ::
-rwxr----- 1 glassfish admin 0 2010-03-14 22:09 0.0.0.0
-rwxr----- 1 glassfish admin 0 2010-03-15 00:21 ::1

I also have byuid set to check (does not change the result as well)

Here are the tests :

sudo -u glassfish authbind --deep nc -l 0.0.0.0 80
> work :)
sudo -u glassfish authbind --deep nc -l localhost 80
> work :)
sudo -u glassfish authbind --deep nc -l 127.0.0.1 80
> work :)
sudo -u glassfish authbind --deep nc -l :: 80
nc: Permission denied
sudo -u glassfish authbind --deep nc -l ::1 80
nc: Permission denied
sudo -u glassfish authbind --deep nc6 -l -p 80
nc6: bind to source :: 80 failed: Permission non accordée (aka failed !)

FYI, I have tried with byport + byaddr + byuid, all of them fail on IPv6 but succeed on IPv4.

Description: Ubuntu 9.10
Release: 9.10

authbind:
  Installed : 1.2.0build2
  Candidate : 1.2.0build2
 Version table
 *** 1.2.0build2 0
        500 http://fr.archive.ubuntu.com karmic/main Packages
        100 /var/lib/dpkg/status

By the way it would be cool if the authbind feature would be introduced in the kernel as this is realy an important feature and the setcap is not suited (no "deep" feature and no way to restrict to a given user), if I get it right.

Rgs,
JB

Revision history for this message
BJB (bugeaud) wrote :

FYI, here is the Java bug reference : http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6771022

Chuck Short (zulcss)
Changed in authbind (Ubuntu):
importance: Undecided → Wishlist
status: New → Confirmed
Revision history for this message
BJB (bugeaud) wrote :

Looking at the code :
http://www.chiark.greenend.org.uk/ucgi/~ijackson/cvsweb/authbind/libauthbind.c?rev=1.8;content-type=text%2Fplain

For the bind overriden method you got a section like :

  if (addr->sa_family != AF_INET || addrlen != sizeof(struct sockaddr_in) ||
      !geteuid() || ((struct sockaddr_in*)addr)->sin_port == 0 ||
      ntohs(((struct sockaddr_in*)addr)->sin_port) >= IPPORT_RESERVED/2)
    return old_bind(fd,addr,addrlen);

The problem is that it will never use the authbind method, hence will not work with INET6.

Revision history for this message
Kurt Huwig (k-huwig) wrote :

There is a patch for this:

http://toroid.org/ams/etc/authbind-ipv6-support

Bug Watch Updater (bug-watch-updater)
Changed in authbind (Debian):
status: Unknown → New
Bug Watch Updater (bug-watch-updater)
Changed in authbind (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.