On 01/31/2018 02:43 PM, Chuck Lever wrote: > > >> On Jan 31, 2018, at 2:31 PM, Steve Dickson <SteveD@xxxxxxxxxx> wrote: >> >> >> >> On 01/29/2018 01:44 AM, Naruto Nguyen wrote: >>> Hello, >>> >>> Just would like to add for more information, when I start rpcbind >>> normally, not via systemd, the random UDP is still opened >>> >>> Could you please share any ideas on this? >> The bound UDP socket is used for remote calls... Where rpcbind >> is asked to make a remote RPC for another caller... >> >> Antiquated? yes.. but harmless. > > Not quite harmless. It can occupy a privileged port that belongs > to a real service. fair enough... > > We should change rpcbind to retain CAP_NET_BIND_SERVICE, so that > it doesn't have to hold onto that port indefinitely. It should > be able to bind to an outgoing privileged port whenever it needs > one. Or we just avoid know ports like sm-notify does. steved. > > >> steved. >> >>> >>> Brs, >>> Bao >>> >>> On 27 January 2018 at 19:50, Naruto Nguyen <narutonguyen2018@xxxxxxxxx> wrote: >>>> I would like to ask you a question regarding the new random UDP port >>>> in rpcbind 0.2.3. >>>> >>>> In rpcbind 0.2.3, when I start rpcbind (version 0.2.3) through >>>> rpcbind.service, then I do netstat >>>> >>>> udp 0 0 0.0.0.0:111 0.0.0.0:* >>>> 10408/rpcbind >>>> udp 0 0 0.0.0.0:831 0.0.0.0:* >>>> 10408/rpcbind >>>> udp6 0 0 :::111 :::* >>>> 10408/rpcbind >>>> udp6 0 0 :::831 :::* >>>> 10408/rpcbind >>>> >>>> The rpcbind does not only listen on port 111 but also on a random udp >>>> port "831" in this case, this port is changed every time the rpcbind >>>> service retstarts. And it listens on 0.0.0.0 so it opens a hole on >>>> security. Could you please let me know what this port is for and is >>>> there any way to avoid that like force it listen on a internal >>>> interface rather than on any interfaces like that? I do not see the >>>> random port on rpcbind 0.2.1, not sure why? As the rpcbind is started >>>> from systemd so "-h" option is invalid as the man page says: >>>> >>>> >>>> -h Specify specific IP addresses to bind to for UDP requests. >>>> This option may be specified multiple times and can be used to >>>> restrict the interfaces rpcbind will respond to. Note that when >>>> rpcbind is controlled via sys- >>>> temd's socket activation, the -h option is ignored. In >>>> this case, you need to edit the ListenStream and ListenDgram >>>> definitions in /usr/lib/systemd/system/rpcbind.socket instead. >>>> >>>> Thanks a lot, >>>> Brs, >>>> Naruto >>> -- >>> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in >>> the body of a message to majordomo@xxxxxxxxxxxxxxx >>> More majordomo info at http://vger.kernel.org/majordomo-info.html >>> >> -- >> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in >> the body of a message to majordomo@xxxxxxxxxxxxxxx >> More majordomo info at http://vger.kernel.org/majordomo-info.html > > -- > Chuck Lever > > > -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
