Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using EpollEventLoopGroup with authbind fails to bind to privileged ports #5789

Closed
jayv opened this issue Sep 2, 2016 · 6 comments
Closed

Using EpollEventLoopGroup with authbind fails to bind to privileged ports #5789

jayv opened this issue Sep 2, 2016 · 6 comments
Assignees
@normanmaurer
Labels
defect
Milestone
4.0.51.Final

Comments

@jayv
Copy link

jayv commented Sep 2, 2016
edited

We use https://en.wikipedia.org/wiki/Authbind for our apps running as non-root to bind to ports <1024 (in our case 80 and 443).

With the NioEventLoopGroup it works fine, using EpollEventLoopGroup it fails to bind with an auth error, as if authbind is ineffective.

Steps, with Netty 4.1.4 with EpollEventLoopGroup vs NioEventLoopGroup bound to port 80:

  • sudo apt-get install authbind
  • sudo touch /etc/authbind/byport/80
  • sudo chmod 755 /etc/authbind/byport/80
  • sudo chown [user] /etc/authbind/byport/80
  • (as non-root) => authbind java -Djava.net.preferIPv4Stack=true -jar [netty-app-jar with bind to port 80]

The error in case of EpollEventLoopGroup:

io.netty.channel.unix.Errors$NativeIoException: bind() failed: Permission denied
        at io.netty.channel.unix.Errors.newIOException(Errors.java:109)
        at io.netty.channel.unix.Socket.bind(Socket.java:231)
        at io.netty.channel.epoll.EpollServerSocketChannel.doBind(EpollServerSocketChannel.java:91)
        at io.netty.channel.AbstractChannel$AbstractUnsafe.bind(AbstractChannel.java:554)
        at io.netty.channel.DefaultChannelPipeline$HeadContext.bind(DefaultChannelPipeline.java:1258)
        at io.netty.channel.AbstractChannelHandlerContext.invokeBind(AbstractChannelHandlerContext.java:511)
        at io.netty.channel.AbstractChannelHandlerContext.bind(AbstractChannelHandlerContext.java:496)
        at io.netty.channel.DefaultChannelPipeline.bind(DefaultChannelPipeline.java:980)
        at io.netty.channel.AbstractChannel.bind(AbstractChannel.java:250)
        at io.netty.bootstrap.AbstractBootstrap$2.run(AbstractBootstrap.java:363)
        at io.netty.util.concurrent.SingleThreadEventExecutor.safeExecute(SingleThreadEventExecutor.java:451)
        at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:418)
        at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:306)
        at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:877)
        at io.netty.util.concurrent.DefaultThreadFactory$DefaultRunnableDecorator.run(DefaultThreadFactory.java:144)

This problem is potentially related to #1231
@jayv jayv mentioned this issue Sep 2, 2016
Closed
@normanmaurer
Copy link
Member

@jayv hmm is there anything else I need to do:

➜  netty-benchmark git:(master) ✗ authbind java -Depoll=false -jar /home/norman/workspace/netty-benchmark/target/netty-http-0.1-4.1.6.Final-SNAPSHOT-jar-with-dependencies.jar
Exception in thread "main" java.net.SocketException: Permission denied
    at sun.nio.ch.Net.bind0(Native Method)
    at sun.nio.ch.Net.bind(Net.java:433)
    at sun.nio.ch.Net.bind(Net.java:425)
    at sun.nio.ch.ServerSocketChannelImpl.bind(ServerSocketChannelImpl.java:223)
    at io.netty.channel.socket.nio.NioServerSocketChannel.doBind(NioServerSocketChannel.java:127)
    at io.netty.channel.AbstractChannel$AbstractUnsafe.bind(AbstractChannel.java:554)
    at io.netty.channel.DefaultChannelPipeline$HeadContext.bind(DefaultChannelPipeline.java:1258)
    at io.netty.channel.AbstractChannelHandlerContext.invokeBind(AbstractChannelHandlerContext.java:511)
    at io.netty.channel.AbstractChannelHandlerContext.bind(AbstractChannelHandlerContext.java:496)
    at io.netty.channel.DefaultChannelPipeline.bind(DefaultChannelPipeline.java:980)
    at io.netty.channel.AbstractChannel.bind(AbstractChannel.java:250)
    at io.netty.bootstrap.AbstractBootstrap$2.run(AbstractBootstrap.java:363)
    at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:163)
    at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:418)
    at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:449)
    at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:873)
    at io.netty.util.concurrent.DefaultThreadFactory$DefaultRunnableDecorator.run(DefaultThreadFactory.java:144)
    at java.lang.Thread.run(Thread.java:745)

➜  netty-benchmark git:(master) ✗ ls /etc/authbind/byport/80
/etc/authbind/byport/80

@jayv
Copy link
Author

jayv commented Sep 2, 2016

Sorry, it looks like it needs a sudo chmod 755 /etc/authbind/byport/80 the port file needs the execute bit for the non-privileged user, may need to chown it to the user you are running it as too.

@jayv
Copy link
Author

jayv commented Sep 2, 2016
edited

Actually we also run with -Djava.net.preferIPv4Stack=true this may be relevant depending on your version of authbind, as from v2.x it supports IPv6, but we are still on v1.2 hence the flag.

@normanmaurer
Copy link
Member

@jayv sorry I totally lost track here... Will try to debug tomorrow

@normanmaurer normanmaurer self-assigned this Nov 24, 2016
@normanmaurer
Copy link
Member

@jayv good news... I think I found the problem now looking into fixing it.

@normanmaurer normanmaurer added this to the 4.0.43.Final milestone Nov 25, 2016
@normanmaurer normanmaurer removed this from the 4.0.47.Final milestone May 11, 2017
@normanmaurer
Copy link
Member

This was fixed...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@normanmaurer normanmaurer

Labels
defect
Projects
None yet
Milestone
4.0.51.Final
Development

No branches or pull requests
2 participants
@jayv @normanmaurer