On 2/5/2018 12:02 PM, Chuck Lever wrote:
Heya Steve-
On Feb 5, 2018, at 11:36 AM, Steve Dickson <steved@xxxxxxxxxx> wrote:
Over the weekend I did some experimenting with
the remote call code in rpcbind. The code does
functionally work but is very antiquated when
it comes to the latest NFS versions.
Since only UDP sockets are used to do remote calls
using the documented interfaces pmap_rmtcall() and callrpc()
calls to NFS will fail (actual times out) since UDP is no
longer supported.
The undocumented interface rpc_call() can be used to
call into NFS since the protocol can specified, which
also means the PMAPPROC_CALLIT protocol is not used.
It turns out privilege port are not needed to make
remote calls, at least with my testing.
It's not quite clear what you are claiming here, but
I'm guessing that what you demonstrated is that the
CALLIT _listener_ does not have to be privileged?
I claim that is true for all RPC listeners.
Why in the world is the remote-call interface even still supported?
It is and was a mammoth security hole allowing machine impersonation,
and to my knowledge no actual services or applications depends on
it. Why not bury it under some compatibility option, default=off??
Tom.
I'm thinking
the only reason privilege ports were being uses was
a side effect of create_rmtcall_fd() calling
svc_tli_create() with an unbound socket.
Privileged listener ports are being created because
svc_tli_create is using bindresvport when the passed
in socket is not already bound.
svc_tli_create should use bind instead, and it needs
to choose a port higher than 49151.
https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml
So the following patch simply binds the socket
before calling svc_tli_create() which means a
non-privilege port will be reserved for remote
calls.
I'm thinking this is the simplest way to
not pollute the privilege port space.
This is going in the right direction, but the problem
needs to be addressed in svc_tli_create, not in each
application that calls svc_tli_create.
This is the same issue that Guillem Jover was trying to
address by making bindresvport skip well-known ports.
In other words: this code in src/svc_generic.c is wrong:
218 /*
219 * If the fd is unbound, try to bind it.
220 */
221 if (madefd || !__rpc_sockisbound(fd)) {
222 if (bindaddr == NULL) {
223 if (bindresvport(fd, NULL) < 0) {
^^^^^^^^^^^^
224 memset(&ss, 0, sizeof ss);
225 ss.ss_family = si.si_af;
226 if (bind(fd, (struct sockaddr *)(void *)&ss,
227 (socklen_t)si.si_alen) < 0) {
228 warnx(
229 "svc_tli_create: could not bind to anonymous port");
230 goto freedata;
231 }
232 }
233 listen(fd, SOMAXCONN);
234 } else {
235 if (bind(fd,
236 (struct sockaddr *)bindaddr->addr.buf,
237 (socklen_t)si.si_alen) < 0) {
238 warnx(
239 "svc_tli_create: could not bind to requested address");
240 goto freedata;
241 }
242 listen(fd, (int)bindaddr->qlen);
243 }
244
245 }
Steve Dickson (1):
rmtcalls: Don't use privileged ports for remote calls.
src/rpcb_svc_com.c | 19 ++++++++++++++++++-
1 file changed, 18 insertions(+), 1 deletion(-)
--
Chuck Lever
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
