Re: Bug#638322: nfs-common: rpc.statd binds to udp port 631 preventing cups startup
On Fri, 19 Aug 2011, Guus Sliepen <guus@debian.org> wrote:
> We could also patch bindresvport() to skip all ports mentioned in
> /etc/services, to get similar behaviour as with SE Linux. Or patch the
> programs using it to first try to bind to a static port that does not
> conflict with those in /etc/services, and if that fails fall back to
> bindresvport().
That would be a viable option. On my system there are 124 TCP ports listed
with numbers <1024 (which seems to be the main problem area). Losing 12% of
the address space seems viable.
One thing to note when comparing this to SE Linux is that the SE Linux policy
labels some ports that aren't in /etc/services but which are in relatively
common use. One example is port 24 for LMTP. Also with SE Linux there is an
easy way of adding new port labels and as the typical daemon won't be
permitted to bind to an unlabeled port the sysadmin is compelled to do the
correct thing.
Now one could patch bindresvport() to also check /etc/services.local or some
other source of configuration information about which ports are likely to be
used. But getting the users to accept that will take some effort.
Of course most users just don't have enough RPC traffic to generate the
problem.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
Reply to: