[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Conflicting assignment of priviledged ports on boot

On boot some daemons (like nis/ypbind) obtain priviledged ports
via portmap/bindresvport(). Portmap assigns ports that are not in use
at the time of request, usually above 600. This strategy sometimes
conflicts with daemons that rely on fixed ports and that
start after ypbind (like cups, slapd): they find that their port
is already in use.
This problem is well known since at least two years, not just with Debian
but also with other Linux versions like Redhat [1,2].

Starting ypbind later during boot is no solution in general since some
services rely on ypbind AND fixed priviledged ports.
Possible solutions are:

- Modify portmap/bindresvport such that certain blacklisted
  ports are skipped even if they are not yet in use when a
  new priviledged port ist requested.

- Make use of a program like portreserve/portrelease [3].
  When the portreserve daemon is started, it examines the /etc/portreserve/
  directory. Each file not containing "." or "~" in its name is considered
  to be a service configuration file, and must contain a service name
  (as listed in /etc/services) or a port number. For example,
  /etc/portreserve/cups might contain the string "ipp".
  For each service configuration file, a socket is created and bound
  to the appropriate port. A service wishing to bind to its port must
  first run portrelease, which instructs portreserve to release the port
  associated with the service.

The second solution requires only a few changes to Debian:
- every daemon relying on a fixed port that might be affected by portmap
  has to drop a file in /etc/portreserve upon package installation.
  Furthermore, its init script has to call portrelease before the
  daemon is started.
- portreserve/portrelease has to be included with Debian.

I propose to modify Debian in this way.


[1] https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=103401
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=306465
[3] http://cyberelk.net/tim/portreserve/

Reply to: