lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 10 Nov 2009 21:42:01 +0000 From: Ben Hutchings <bhutchings@...arflare.com> To: Chuck Lever <chuck.lever@...cle.com> Cc: Chris Friesen <cfriesen@...tel.com>, Trond Myklebust <trond.myklebust@....uio.no>, netdev@...r.kernel.org, Linux kernel <linux-kernel@...r.kernel.org> Subject: Re: sunrpc port allocation and IANA reserved list On Tue, 2009-11-10 at 16:34 -0500, Chuck Lever wrote: > On Nov 10, 2009, at 4:32 PM, Ben Hutchings wrote: > > > On Tue, 2009-11-10 at 15:06 -0600, Chris Friesen wrote: > >> On 11/10/2009 02:26 PM, Trond Myklebust wrote: [...] > >>> Just use /proc/sys/sunrpc/{max,min}_resvport interface to restrict > >>> the > >>> range used to a safer one. That's what it is for... > > > > Unless I'm much mistaken, that only affects in-kernel SunRPC users. > > > >> What constitutes a "safer range"? IANA has ports assigned > >> intermittently all the way through the default RPC range. The > >> largest > >> unassigned range is 922-988 (since 921 is used by lwresd). If > >> someone > >> needs more than 66 ports, how are they supposed to handle it? > > > > I'm sure we could afford 128 bytes for a blacklist of privileged > > ports. > > However, the problem is that there is no API for userland to request > > 'any free privileged port' - it has to just try binding to different > > ports until it finds one available. > > bindresvport(3) and bindresvport_sa(3t) ? These are library calls; they are not an API between userland the kernel. > > This means that the kernel can't > > tell whether a process is trying to allocate a specifically assigned > > port or whether the blacklist should be applied. > > Such a blacklist would have to be managed by glibc or libtirpc. Right. Ben. -- Ben Hutchings, Senior Software Engineer, Solarflare Communications Not speaking for my employer; that's the marketing department's job. They asked us to note that Solarflare product names are trademarked. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists