From: Steve Dickson <SteveD@redhat.com>
To: Chuck Lever <chuck.lever@oracle.com>
Cc: "Andrew J. Schorr" <ajschorr@alumni.princeton.edu>,
linux-nfs@vger.kernel.org
Subject: Re: proposed patch to rpcbind to provide finer-grained security controls than offered by the -i option
Date: Thu, 09 Dec 2010 19:07:32 -0500 [thread overview]
Message-ID: <4D016F44.3020002@RedHat.com> (raw)
In-Reply-To: <DFA85276-FD83-47A6-A9CD-B0F0A11D6086@oracle.com>
On 12/09/2010 04:41 PM, Chuck Lever wrote:
>
> On Dec 9, 2010, at 3:49 PM, Andrew J. Schorr wrote:
>
>> Hi,
>>
>> The current rpcbind -i option seems to relax 3 different security requirements.
>> If the user wants to allow any one of the three, he is forced to allow
>> all 3.
>>
>> The attached patch introduces 3 new options (-c, -r, and -u) to break this
>> down to give the user control of which security requirements to relax.
>>
>> This patch compiles, but has not been tested yet. If there is any
>> interest in accepting this, I will of course test it. :-) But it's fairly
>> basic, so I thought I'd gauge the interest level first. Steve
>> Dickson from Redhat suggested that I post here to discuss this issue
>> regarding https://bugzilla.redhat.com/show_bug.cgi?id=481422
>
> Looking over the bug...
>
> It sounds like your application is trying to use glibc's RPC
> implementation with rpcbind. If you build your application with
> libtirpc instead, it should use an AF_UNIX socket to contact rpcbind
> instead of loopback. The AF_UNIX socket carries some authentication
> information with the registration request. All users of your
> application would be allowed to set or unset RPC registrations
> in that case.
>
I was under the impression rebuilding the applications was not
possible... but maybe I misunderstood...
But in the end, I guess I'm not against having functionality
like this... If it make it easier for people to port legacy
applications to Linux, its probably a good thing...
steved.
next prev parent reply other threads:[~2010-12-10 0:07 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-12-09 20:49 proposed patch to rpcbind to provide finer-grained security controls than offered by the -i option Andrew J. Schorr
2010-12-09 21:41 ` Chuck Lever
2010-12-10 0:07 ` Steve Dickson [this message]
2010-12-10 2:38 ` Andrew J. Schorr
2010-12-10 13:52 ` Steve Dickson
2010-12-10 15:31 ` Chuck Lever
2010-12-10 15:37 ` Andrew J. Schorr
2010-12-10 16:39 ` Chuck Lever
2010-12-10 15:55 ` Steve Dickson
2010-12-10 17:01 ` Chuck Lever
2010-12-10 17:07 ` Steve Dickson
[not found] ` <4D025E60.8030204-AfCzQyP5zfLQT0dZR+AlfA@public.gmane.org>
2010-12-10 17:09 ` Chuck Lever
2010-12-10 17:10 ` Andrew J. Schorr
2010-12-10 17:14 ` Chuck Lever
2010-12-10 21:57 ` Andrew J. Schorr
[not found] ` <20101210215758.GA15059-RxCcQp2DQEZ/AkJ0XP51flIRPycPq0EMEZnpZpl6OOE@public.gmane.org>
2010-12-10 22:18 ` Chuck Lever
2010-12-10 22:22 ` Chuck Lever
2010-12-10 22:30 ` Andrew J. Schorr
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4D016F44.3020002@RedHat.com \
--to=steved@redhat.com \
--cc=ajschorr@alumni.princeton.edu \
--cc=chuck.lever@oracle.com \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.