Re: Question about random UDP port on rpcbind 0.2.3

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




> On Jan 31, 2018, at 2:57 PM, Steve Dickson <SteveD@xxxxxxxxxx> wrote:
> 
> 
> 
> On 01/31/2018 02:43 PM, Chuck Lever wrote:
>> 
>> 
>>> On Jan 31, 2018, at 2:31 PM, Steve Dickson <SteveD@xxxxxxxxxx> wrote:
>>> 
>>> 
>>> 
>>> On 01/29/2018 01:44 AM, Naruto Nguyen wrote:
>>>> Hello,
>>>> 
>>>> Just would like to add for more information, when I start rpcbind
>>>> normally, not via systemd, the random UDP is still opened
>>>> 
>>>> Could you please share any ideas on this?
>>> The bound UDP socket is used for remote calls... Where rpcbind
>>> is asked to make a remote RPC for another caller... 
>>> 
>>> Antiquated? yes.. but harmless.
>> 
>> Not quite harmless. It can occupy a privileged port that belongs
>> to a real service.
> fair enough... 
> 
>> 
>> We should change rpcbind to retain CAP_NET_BIND_SERVICE, so that
>> it doesn't have to hold onto that port indefinitely. It should
>> be able to bind to an outgoing privileged port whenever it needs
>> one.
> Or we just avoid know ports like sm-notify does.

statd, you mean. It should also retain CAP_NET_BIND_SERVICE instead
of what it does now, IMO.

Note that in both of these cases, that long-lived port is never going
to be used, going forward: 

- no one uses the rpcbind port-forward service that I know of

- NLM is going out of style

If we can make these two cases on-demand instead, so much the better,
I say. As Mr. Talpey pointed out recently, the only long-lived
privileged ports we should see on Linux are well-known service
listeners, not outgoing ports.

A fix for rpcbind might be to add a cmd-line flag to enable the
rpcbind forwarding service, and have the service default to disabled.
I'm not sure why rpcbind would list an outgoing port in it's portmap
menu. Are you sure that this is the forwarding reflector port?


> steved.
> 
>> 
>> 
>>> steved.
>>> 
>>>> 
>>>> Brs,
>>>> Bao
>>>> 
>>>> On 27 January 2018 at 19:50, Naruto Nguyen <narutonguyen2018@xxxxxxxxx> wrote:
>>>>> I would like to ask you a question regarding the new random UDP port
>>>>> in rpcbind 0.2.3.
>>>>> 
>>>>> In rpcbind 0.2.3, when I start rpcbind (version 0.2.3) through
>>>>> rpcbind.service, then I do netstat
>>>>> 
>>>>> udp        0      0 0.0.0.0:111             0.0.0.0:*
>>>>>        10408/rpcbind
>>>>> udp        0      0 0.0.0.0:831             0.0.0.0:*
>>>>>        10408/rpcbind
>>>>> udp6       0      0 :::111                  :::*
>>>>>        10408/rpcbind
>>>>> udp6       0      0 :::831                  :::*
>>>>>        10408/rpcbind
>>>>> 
>>>>> The rpcbind does not only listen on port 111 but also on a random udp
>>>>> port "831" in this case, this port is changed every time the rpcbind
>>>>> service retstarts. And it listens on 0.0.0.0 so it opens a hole on
>>>>> security. Could you please let me know what this port is for and is
>>>>> there any way to avoid that like force it listen on a internal
>>>>> interface rather than on any interfaces like that? I do not see the
>>>>> random port on rpcbind 0.2.1, not sure why? As the rpcbind is started
>>>>> from systemd so "-h" option is invalid as the man page says:
>>>>> 
>>>>> 
>>>>>  -h      Specify specific IP addresses to bind to for UDP requests.
>>>>> This option may be specified multiple times and can be used to
>>>>> restrict the interfaces rpcbind will respond to.  Note that when
>>>>> rpcbind is controlled via sys-
>>>>>            temd's socket activation, the -h option is ignored. In
>>>>> this case, you need to edit the ListenStream and ListenDgram
>>>>> definitions in /usr/lib/systemd/system/rpcbind.socket instead.
>>>>> 
>>>>> Thanks a lot,
>>>>> Brs,
>>>>> Naruto
>>>> --
>>>> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
>>>> the body of a message to majordomo@xxxxxxxxxxxxxxx
>>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>>> 
>>> --
>>> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
>>> the body of a message to majordomo@xxxxxxxxxxxxxxx
>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>> 
>> --
>> Chuck Lever

--
Chuck Lever



--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Linux Filesystem Development]     [Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Yosemite Info]     [Linux SCSI]

  Powered by Linux