From: "Li.Wang" <Li.Wang@windriver.com>
To: "Burton, Ross" <ross.burton@intel.com>
Cc: OE-core <openembedded-core@lists.openembedded.org>
Subject: Re: [PATCH] rpcbind: add option to fix port number
Date: Tue, 9 Sep 2014 16:33:53 +0800 [thread overview]
Message-ID: <540EBB71.2070105@windriver.com> (raw)
In-Reply-To: <CAJTo0Lbw53Ors3EiVY3Jx2_d-CQ7jf58-_Y1TJK3L4oz8QexaQ@mail.gmail.com>
On 09/05/2014 11:24 PM, Burton, Ross wrote:
> On 12 August 2014 09:44, Li.Wang <Li.Wang@windriver.com> wrote:
>> Opening random ports in privileged port range, among them one port that
>> identifies itself as pop3s, is not a good practice. Both Ericsson and
>> our
>> customers run regular vulnerability assessment tools against our
>> product,
>> and this will clearly be seen as a potential problem. Furthermore, we
>> will
>> not be able to filter the ports, since they are random, and neither will
>> we
>> be able to provide decent answers to our customers. To summarize: this
>> should be taken care of, ie fix rpcbind so that it uses a non random
>> port
>> and/or to bind to a specific interface.
> This has been bothering me so I just did some digging. rpcbind
> opening random ports is rather "misguided" but it appears that passing
> -s to rpcbind will cause it to drop it's privs and setuid down to
> "daemon", with the side-effect that it can't open the privileged ports
> anymore.
>
> (source: http://wiki.metawerx.net/wiki/setrpcrandomport)
this way uses dynamic library, and I use command option which insert
code to rpcbind.
I think our thought are same, but the complements are different.
indeed, rpcbind has two random ports:
one can be fixed by configure file.
the patch is to point at the other one.
Thanks,
LiWang.
>
> Ross
next prev parent reply other threads:[~2014-09-09 8:34 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-08-12 6:25 [PATCH] rpcbind: add option to fix port number Li Wang
2014-08-12 7:20 ` Li Wang
2014-08-12 8:10 ` Li.Wang
2014-08-12 8:11 ` Li Wang
2014-08-12 8:41 ` Burton, Ross
2014-08-12 8:44 ` Li.Wang
2014-09-05 15:24 ` Burton, Ross
2014-09-09 8:33 ` Li.Wang [this message]
2014-08-12 8:48 ` Burton, Ross
2014-08-12 9:03 ` Li Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=540EBB71.2070105@windriver.com \
--to=li.wang@windriver.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=ross.burton@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox