On 02/01/2018 10:29 AM, Scott Mayhew wrote: > > This patch should take care of making rpcbind set up the remote call > port on demand. I don't have a whole lot of ways to test it though... > just 'rpcinfo -b' and a handful of one-off programs I wrote a while back > trying to mess with the CALLIT/INDIRECT/BCAST procedures. This is where I spent my afternoon yesterday... figuring out a way to test this code. rpc_call() is my new BFF! > > I'd still need to add the stuff to retain CAP_NET_BIND_SERVICE. I think we need to do what nsm_clear_capabilities() does. > > I also like the idea of leaving this off by default and adding a > command-line flag to enable it because I'm also not sure if anyone > actually uses it... not to mention there's been at least one CVE in the > past that exploited it (CVE-2015-7236, not sure if there are others). I'm not a fan of this idea... I think on demand is a better way to go... but what do I know?? ;-) steved. > -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
