Re: Question about random UDP port on rpcbind 0.2.3

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Jan 31 2018, Chuck Lever wrote:

>> On Jan 31, 2018, at 2:57 PM, Steve Dickson <SteveD@xxxxxxxxxx> wrote:
>> 
>> 
>> 
>> On 01/31/2018 02:43 PM, Chuck Lever wrote:
>>> 
>>> 
>>>> On Jan 31, 2018, at 2:31 PM, Steve Dickson <SteveD@xxxxxxxxxx> wrote:
>>>> 
>>>> 
>>>> 
>>>> On 01/29/2018 01:44 AM, Naruto Nguyen wrote:
>>>>> Hello,
>>>>> 
>>>>> Just would like to add for more information, when I start rpcbind
>>>>> normally, not via systemd, the random UDP is still opened
>>>>> 
>>>>> Could you please share any ideas on this?
>>>> The bound UDP socket is used for remote calls... Where rpcbind
>>>> is asked to make a remote RPC for another caller... 
>>>> 
>>>> Antiquated? yes.. but harmless.
>>> 
>>> Not quite harmless. It can occupy a privileged port that belongs
>>> to a real service.
>> fair enough... 
>> 
>>> 
>>> We should change rpcbind to retain CAP_NET_BIND_SERVICE, so that
>>> it doesn't have to hold onto that port indefinitely. It should
>>> be able to bind to an outgoing privileged port whenever it needs
>>> one.
>> Or we just avoid know ports like sm-notify does.
>
> statd, you mean. It should also retain CAP_NET_BIND_SERVICE instead
> of what it does now, IMO.
>
> Note that in both of these cases, that long-lived port is never going
> to be used, going forward: 
>
> - no one uses the rpcbind port-forward service that I know of

  ypbind --broadcast
??

I don't see a problem with adding an option to disable it.
I don't think it is harmful enough to make that option the default
(though individual distributors might choose to add the command-line
flag by default).

>
> - NLM is going out of style

"style" isn't a word that I would use with NLM :-)
but I suspect NLM will still be used for some time yet.

>
> If we can make these two cases on-demand instead, so much the better,
> I say. As Mr. Talpey pointed out recently, the only long-lived
> privileged ports we should see on Linux are well-known service
> listeners, not outgoing ports.
>
> A fix for rpcbind might be to add a cmd-line flag to enable the
> rpcbind forwarding service, and have the service default to disabled.
> I'm not sure why rpcbind would list an outgoing port in it's portmap
> menu. Are you sure that this is the forwarding reflector port?

rpcbind doesn't list the outgoing port.
The listing you say was from "netstat -uap" or similar.

NeilBrown


>
>
>> steved.
>> 
>>> 
>>> 
>>>> steved.
>>>> 
>>>>> 
>>>>> Brs,
>>>>> Bao
>>>>> 
>>>>> On 27 January 2018 at 19:50, Naruto Nguyen <narutonguyen2018@xxxxxxxxx> wrote:
>>>>>> I would like to ask you a question regarding the new random UDP port
>>>>>> in rpcbind 0.2.3.
>>>>>> 
>>>>>> In rpcbind 0.2.3, when I start rpcbind (version 0.2.3) through
>>>>>> rpcbind.service, then I do netstat
>>>>>> 
>>>>>> udp        0      0 0.0.0.0:111             0.0.0.0:*
>>>>>>        10408/rpcbind
>>>>>> udp        0      0 0.0.0.0:831             0.0.0.0:*
>>>>>>        10408/rpcbind
>>>>>> udp6       0      0 :::111                  :::*
>>>>>>        10408/rpcbind
>>>>>> udp6       0      0 :::831                  :::*
>>>>>>        10408/rpcbind
>>>>>> 
>>>>>> The rpcbind does not only listen on port 111 but also on a random udp
>>>>>> port "831" in this case, this port is changed every time the rpcbind
>>>>>> service retstarts. And it listens on 0.0.0.0 so it opens a hole on
>>>>>> security. Could you please let me know what this port is for and is
>>>>>> there any way to avoid that like force it listen on a internal
>>>>>> interface rather than on any interfaces like that? I do not see the
>>>>>> random port on rpcbind 0.2.1, not sure why? As the rpcbind is started
>>>>>> from systemd so "-h" option is invalid as the man page says:
>>>>>> 
>>>>>> 
>>>>>>  -h      Specify specific IP addresses to bind to for UDP requests.
>>>>>> This option may be specified multiple times and can be used to
>>>>>> restrict the interfaces rpcbind will respond to.  Note that when
>>>>>> rpcbind is controlled via sys-
>>>>>>            temd's socket activation, the -h option is ignored. In
>>>>>> this case, you need to edit the ListenStream and ListenDgram
>>>>>> definitions in /usr/lib/systemd/system/rpcbind.socket instead.
>>>>>> 
>>>>>> Thanks a lot,
>>>>>> Brs,
>>>>>> Naruto
>>>>> --
>>>>> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
>>>>> the body of a message to majordomo@xxxxxxxxxxxxxxx
>>>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>>>> 
>>>> --
>>>> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
>>>> the body of a message to majordomo@xxxxxxxxxxxxxxx
>>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>> 
>>> --
>>> Chuck Lever
>
> --
> Chuck Lever
>
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Attachment: signature.asc
Description: PGP signature


[Index of Archives]     [Linux Filesystem Development]     [Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Yosemite Info]     [Linux SCSI]

  Powered by Linux