Bug#329941: marked as done (ITP: portreserve - Port reservation program)
Your message dated Sun, 06 Nov 2005 10:55:43 -0800
with message-id <E1EYpg7-0003R1-00@spohr.debian.org>
and subject line Bug#329941: fixed in portreserve 0.0.0-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 24 Sep 2005 15:44:50 +0000
>From jfs@computer.org Sat Sep 24 08:44:50 2005
Return-path: <jfs@computer.org>
Received: from 148.red-213-96-98.staticip.rima-tde.net (javifsp.no-ip.org) [213.96.98.148] (Debian-exim)
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1EJCCn-0001Lv-00; Sat, 24 Sep 2005 08:44:50 -0700
Received: from jfs by javifsp.no-ip.org with local (Exim 4.52)
id 1EJCCk-0000fT-66
for submit@bugs.debian.org; Sat, 24 Sep 2005 17:44:46 +0200
Date: Sat, 24 Sep 2005 17:44:46 +0200
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <jfs@computer.org>
To: submit@bugs.debian.org
Subject: ITP: portreserve - Port reservation program
Message-ID: <20050924154446.GA25451@javifsp.no-ip.org>
Mail-Followup-To: submit@bugs.debian.org
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="gj572EiMnwbLXET9"
Content-Disposition: inline
User-Agent: Mutt/1.5.10i
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no
version=2.60-bugs.debian.org_2005_01_02
--gj572EiMnwbLXET9
Content-Type: multipart/mixed; boundary="qDbXVdCdHGoSgWSk"
Content-Disposition: inline
--qDbXVdCdHGoSgWSk
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Package: wnpp
Version: N/A; reported 2005-09-24
Severity: wishlist
Package name : portreserve
Version : 0.0.0
Upstream Author : Tim Waugh <twaugh _AT_ redhat.com>
URL : http://cyberelk.net/tim/portreserve/
License : GPL
Description : The portreserve program aims to help services with well-known
ports that lie in the bindresvport() range (currently 600-1023).
It prevents programs requesting a port to the libc from occupying
a real service's port by occupying it itself, until the real service
tells it to release the port (generally in its init script).
Preliminary packages are available at
http://people.debian.org/~jfs/portreserve/
The accompanying README.Debian file is attached
Regards
Javier
--qDbXVdCdHGoSgWSk
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="README.Debian"
Content-Transfer-Encoding: quoted-printable
portreserve for Debian
----------------------
This package is provided to solve an issue that affects some servers and=20
goes like this:
- an RPC server (ypbind, rpc.mountd...) runs on boot and requests a dynamic
port < 1024 using glibc's bindresvport().
- The libc provides the RPC server with a service in the 600-1023 with the
following formula 'port =3D (PID % 424) + 600)', unfortunately, this
port is the same port of a well known service (cups, laps,
kadmin, rsync, or SSL-enabled IMAP, IRC and POP3 servers) which has not
yet started.
- the well-known service tries to start later in the boot sequence and
fails because the port is assigned
If you look at /etc/services you will see that the services affected
with this issue are typically:
631 IPP =3D=3D CUPS
636 LDAPS
749 Kerberos V kadmin
783 SpamAssasin
873 rsyncd
992-995 SSL-enabled telnet and ftp, IMAP, IRC, and POP3
It has been suggest a number of times to add these ports to a blacklist
in libc but the glibc maintainers are against this as the affected services
might change with time (Note: sometimes this has been requested in portmap,=
=20
which is wrong since portmap does not assign ports, just registers them aft=
er=20
being assigned).
Typically local admins would fix this issue by changing the boot order
of services so that the server with the static well-known port was
started first, but sometimes this is not an option (i.e. mail servers
that rely on information maps from NIS).=20
Another option for local admins has been to assign static ports=20
to the RPC services _if_ the service allows for this=20
(like using '-p' with ypserv or ypbind). This also helps in setting
up packet filters for RC services.
What can I do fix this issue?
-----------------------------
(Written for admins, but maintainers can adapt this easily to their
packages too)
If you are running some of the servers above and are affected by this issue=
=20
you need to=20
a) Create a /etc/portreserve/$server file with a single line, the name of
the service port as found in /etc/services or a service number
b) Modify the /etc/init.d/$server file and add this before the service
is started:
[ -x "`which portrelease`" ] && portrelease $server
Notice that some package maintainers might gradually add this by default so
you might find that has already been done for you. If it hasn't you
might want to submit a bug to the Debian package quoting the above and
asking the maintainer to 'Recommend' portreserve. That way you will
not have to maintain these local changes yourself.
Possible issues:
----------------
If an RPC service is already running and you install a new package that
provides a daemon that requires the same port the installation will fail
_even_ if the package uses portreserve and portreserve is installed.
There is no way around this, since it would not make sense to have portrser=
ve=20
pre-configured for all possible services that require static ports if an ad=
min=20
is never going to install them and it's more manageable to have packages
provide the services than having a central blacklist.
In any case, admins that want to use portreserve as a blacklist regardless
of the service being installed can do that through /etc/portrelease
Further references:
------------------
Debian BTS:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D261484 [portmap]
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D306465 [nis]
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D257876 [nis]
Red Hat's Bugzilla:
https://bugzilla.redhat.com/103401
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=3D154800
Debian mailing lists:
http://lists.debian.org/debian-devel/2004/10/threads.html#00292
http://lists.debian.org/debian-devel/2005/09/thrd3.html#01062
-- Javier Fernandez-Sanguino Pen~a <jfs@computer.org>, Sat, 24 Sep 2005 16=
:07:56 +0200
--qDbXVdCdHGoSgWSk--
--gj572EiMnwbLXET9
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDNXRusandgtyBSwkRAv4JAJ9CWcebV4j54D1OfTIOIiYlziXACACfatFM
N6EPFXFSpBwLU09KAko+mH0=
=Yoqj
-----END PGP SIGNATURE-----
--gj572EiMnwbLXET9--
---------------------------------------
Received: (at 329941-close) by bugs.debian.org; 6 Nov 2005 18:56:40 +0000
>From joerg@spohr.debian.org Sun Nov 06 10:56:40 2005
Return-path: <joerg@spohr.debian.org>
Received: from joerg by spohr.debian.org with local (Exim 3.36 1 (Debian))
id 1EYpg7-0003R1-00; Sun, 06 Nov 2005 10:55:43 -0800
From: Javier Fernandez-Sanguino Pen~a <jfs@computer.org>
To: 329941-close@bugs.debian.org
X-Katie: lisa $Revision: 1.30 $
Subject: Bug#329941: fixed in portreserve 0.0.0-1
Message-Id: <E1EYpg7-0003R1-00@spohr.debian.org>
Sender: Joerg Jaspert <joerg@spohr.debian.org>
Date: Sun, 06 Nov 2005 10:55:43 -0800
Delivered-To: 329941-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
Source: portreserve
Source-Version: 0.0.0-1
We believe that the bug you reported is fixed in the latest version of
portreserve, which is due to be installed in the Debian FTP archive:
portreserve_0.0.0-1.diff.gz
to pool/main/p/portreserve/portreserve_0.0.0-1.diff.gz
portreserve_0.0.0-1.dsc
to pool/main/p/portreserve/portreserve_0.0.0-1.dsc
portreserve_0.0.0-1_i386.deb
to pool/main/p/portreserve/portreserve_0.0.0-1_i386.deb
portreserve_0.0.0.orig.tar.gz
to pool/main/p/portreserve/portreserve_0.0.0.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 329941@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Javier Fernandez-Sanguino Pen~a <jfs@computer.org> (supplier of updated portreserve package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 24 Sep 2005 16:07:56 +0200
Source: portreserve
Binary: portreserve
Architecture: source i386
Version: 0.0.0-1
Distribution: unstable
Urgency: low
Maintainer: Javier Fernandez-Sanguino Pen~a <jfs@computer.org>
Changed-By: Javier Fernandez-Sanguino Pen~a <jfs@computer.org>
Description:
portreserve - Port reservation program
Closes: 329941
Changes:
portreserve (0.0.0-1) unstable; urgency=low
.
* Initial release (Closes: #329941)
* This package should make it easier to fix #261484, #306465 and
#257876 for admins bitten by these bugs. Package maintainers
need to adapt their init scripts (and provide a /etc/portrelease file)
in order for this to work in the long run.
* Install portreserve in /sbin since it needs to run before the RPC
services and, consequently, before nfs-common (so /usr is not assured)
* Modify the RedHat script for Debian
Files:
7000ddf74eb7850e7903640a27d196b2 727 admin optional portreserve_0.0.0-1.dsc
33def58b3f3c8e322f581e15f120dd61 78266 admin optional portreserve_0.0.0.orig.tar.gz
a1d770927b47466a714e5d767d82c918 29407 admin optional portreserve_0.0.0-1.diff.gz
00ee9c4e33d5f7657ccdf7b649dac0e4 11932 admin optional portreserve_0.0.0-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iQCVAwUBQzzlgvtEPvakNq0lAQIimwP/UNuLNbXpiIt94xlP2KqZUSBL939q1+Im
fztPS7xwE9MlixEAxJbV0/Hu0ZvyymPgB/XQw2Ksj7E3FwsutbCDP/p8QMftUaPj
yRdIVwiqwENySCoAVqTIbzV7jYfFXX9lGH1ZCXN2sQ0HxVsXX148xtzC0xiXm/qe
9vAZaNIF4Oo=
=Q45j
-----END PGP SIGNATURE-----
Reply to: