On Aug 30, 2010, at 9:03 AM, Olaf Kirch wrote: > > Hi Steve et al, > > We recently got a bug report from a customer trying to run nfs-utils > (which is compiled against libtirpc on SLES 11) on a system with > portmapper installed instead of rpcbind. Which failed miserably, > because none of the RPC servers was able to register with portmap. > > One might argue, if it hurts don't do it, but OTOH this configuration > isn't totally outlandish. In particular, ISVs may decide they want > to compile an RPC enabled application against libtirpc, but still > want it to run on a wide range of Linux versions. > > I looked into the issue and put together the following two patches, > which I'm submitting for your kindly review. I've seen a couple of other requests for this feature, and wrote some patches last year that did something similar. I never got around to finishing them. I worried at the time that this might introduce a security weakness, since, after all, the rpcbind SET operation goes over AF_UNIX, which is authenticated, but pmap uses sockets with privileged ports to detect authorized users. I see that your logic uses the pmap SET/UNSET calls by default. This bypasses AF_UNIX completely in pretty much all local cases, which changes the behavior of rpcb_set() and rpcb_unset(), and could break the local rpcbind security model. It might be better to use pmap_setunset() only when local_rpcb() fails. Another minor problem I think I remember is that if libtirpc is used on a system (perhaps because it is statically linked with said ISV RPC-enabled application) that does not have /etc/netconfig installed, the transport creation logic in rpcb_clnt.c simply doesn't work. > Thanks > Olaf > -- > Neo didn't bring down the Matrix. SOA did. (soafacts.com) > -------------------------------------------- > Olaf Kirch - Director Server (okir@xxxxxxxxxx) > SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nürnberg > GF: Markus Rex, HRB 16746 (AG Nürnberg) > -- > To unsubscribe from this list: send the line "unsubscribe linux-nfs" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- chuck[dot]lever[at]oracle[dot]com -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
