On Wed, Jan 31 2018, Chuck Lever wrote: >> On Jan 31, 2018, at 2:57 PM, Steve Dickson <SteveD@xxxxxxxxxx> wrote: >> >> >> >> On 01/31/2018 02:43 PM, Chuck Lever wrote: >>> >>> >>>> On Jan 31, 2018, at 2:31 PM, Steve Dickson <SteveD@xxxxxxxxxx> wrote: >>>> >>>> >>>> >>>> On 01/29/2018 01:44 AM, Naruto Nguyen wrote: >>>>> Hello, >>>>> >>>>> Just would like to add for more information, when I start rpcbind >>>>> normally, not via systemd, the random UDP is still opened >>>>> >>>>> Could you please share any ideas on this? >>>> The bound UDP socket is used for remote calls... Where rpcbind >>>> is asked to make a remote RPC for another caller... >>>> >>>> Antiquated? yes.. but harmless. >>> >>> Not quite harmless. It can occupy a privileged port that belongs >>> to a real service. >> fair enough... >> >>> >>> We should change rpcbind to retain CAP_NET_BIND_SERVICE, so that >>> it doesn't have to hold onto that port indefinitely. It should >>> be able to bind to an outgoing privileged port whenever it needs >>> one. >> Or we just avoid know ports like sm-notify does. > > statd, you mean. It should also retain CAP_NET_BIND_SERVICE instead > of what it does now, IMO. > > Note that in both of these cases, that long-lived port is never going > to be used, going forward: > > - no one uses the rpcbind port-forward service that I know of ypbind --broadcast ?? I don't see a problem with adding an option to disable it. I don't think it is harmful enough to make that option the default (though individual distributors might choose to add the command-line flag by default). > > - NLM is going out of style "style" isn't a word that I would use with NLM :-) but I suspect NLM will still be used for some time yet. > > If we can make these two cases on-demand instead, so much the better, > I say. As Mr. Talpey pointed out recently, the only long-lived > privileged ports we should see on Linux are well-known service > listeners, not outgoing ports. > > A fix for rpcbind might be to add a cmd-line flag to enable the > rpcbind forwarding service, and have the service default to disabled. > I'm not sure why rpcbind would list an outgoing port in it's portmap > menu. Are you sure that this is the forwarding reflector port? rpcbind doesn't list the outgoing port. The listing you say was from "netstat -uap" or similar. NeilBrown > > >> steved. >> >>> >>> >>>> steved. >>>> >>>>> >>>>> Brs, >>>>> Bao >>>>> >>>>> On 27 January 2018 at 19:50, Naruto Nguyen <narutonguyen2018@xxxxxxxxx> wrote: >>>>>> I would like to ask you a question regarding the new random UDP port >>>>>> in rpcbind 0.2.3. >>>>>> >>>>>> In rpcbind 0.2.3, when I start rpcbind (version 0.2.3) through >>>>>> rpcbind.service, then I do netstat >>>>>> >>>>>> udp 0 0 0.0.0.0:111 0.0.0.0:* >>>>>> 10408/rpcbind >>>>>> udp 0 0 0.0.0.0:831 0.0.0.0:* >>>>>> 10408/rpcbind >>>>>> udp6 0 0 :::111 :::* >>>>>> 10408/rpcbind >>>>>> udp6 0 0 :::831 :::* >>>>>> 10408/rpcbind >>>>>> >>>>>> The rpcbind does not only listen on port 111 but also on a random udp >>>>>> port "831" in this case, this port is changed every time the rpcbind >>>>>> service retstarts. And it listens on 0.0.0.0 so it opens a hole on >>>>>> security. Could you please let me know what this port is for and is >>>>>> there any way to avoid that like force it listen on a internal >>>>>> interface rather than on any interfaces like that? I do not see the >>>>>> random port on rpcbind 0.2.1, not sure why? As the rpcbind is started >>>>>> from systemd so "-h" option is invalid as the man page says: >>>>>> >>>>>> >>>>>> -h Specify specific IP addresses to bind to for UDP requests. >>>>>> This option may be specified multiple times and can be used to >>>>>> restrict the interfaces rpcbind will respond to. Note that when >>>>>> rpcbind is controlled via sys- >>>>>> temd's socket activation, the -h option is ignored. In >>>>>> this case, you need to edit the ListenStream and ListenDgram >>>>>> definitions in /usr/lib/systemd/system/rpcbind.socket instead. >>>>>> >>>>>> Thanks a lot, >>>>>> Brs, >>>>>> Naruto >>>>> -- >>>>> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in >>>>> the body of a message to majordomo@xxxxxxxxxxxxxxx >>>>> More majordomo info at http://vger.kernel.org/majordomo-info.html >>>>> >>>> -- >>>> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in >>>> the body of a message to majordomo@xxxxxxxxxxxxxxx >>>> More majordomo info at http://vger.kernel.org/majordomo-info.html >>> >>> -- >>> Chuck Lever > > -- > Chuck Lever > > > > -- > To unsubscribe from this list: send the line "unsubscribe linux-nfs" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html
Attachment:
signature.asc
Description: PGP signature
