From: Olaf Kirch <olaf.kirch@oracle.com>
Subject: Re: Does mountd/statd really need to listen on a privileged
	port??
Date: Tue, 17 Apr 2007 12:14:35 +0200
Message-ID: <200704171214.35952.olaf.kirch@oracle.com>
References: <17950.44333.118970.276558@notabene.brown>
	<200704122055.12223.vapier@gentoo.org>
	<17950.57188.878877.547112@notabene.brown>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: Neil Brown <neilb@suse.de>
To: nfs@lists.sourceforge.net
In-Reply-To: <17950.57188.878877.547112@notabene.brown>
Sender: nfs-bounces@lists.sourceforge.net
Errors-To: nfs-bounces@lists.sourceforge.net

On Friday 13 April 2007 03:39, Neil Brown wrote:
> > if that's true, then we could at least rewrite the socket code to bind to 
> > ports that do not appear in /etc/services (via getservbyport()) ... that'd 
> > allow admins to easily prevent things like mountd/statd from hijacking 
> > reserved ports ...
> 
> I had thought of that too.  I'll probably implement it.  Your code (in
> subsequent email) is a little more complicated than needed.  Just
> repeatedly call bindresvport, closing if you don't like it.  The port
> number tried increments each time.

The glibc shipped with Suse has a file called /etc/bindresvport.blacklist
that you can add ports to. I thought something similar had found its
way upstream by now, but unfortunately I can't find it.

ALTLinux seems to have this patch too.

Olaf
-- 
Olaf Kirch  |  --- o --- Nous sommes du soleil we love when we play
okir@lst.de |    / | \   sol.dhoop.naytheet.ah kin.ir.samse.qurax

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs