[OE-core] [PATCH] rpcbind: add option to fix port number
Li.Wang
Li.Wang at windriver.com
Tue Sep 9 08:33:53 UTC 2014
On 09/05/2014 11:24 PM, Burton, Ross wrote:
> On 12 August 2014 09:44, Li.Wang <Li.Wang at windriver.com> wrote:
>> Opening random ports in privileged port range, among them one port that
>> identifies itself as pop3s, is not a good practice. Both Ericsson and
>> our
>> customers run regular vulnerability assessment tools against our
>> product,
>> and this will clearly be seen as a potential problem. Furthermore, we
>> will
>> not be able to filter the ports, since they are random, and neither will
>> we
>> be able to provide decent answers to our customers. To summarize: this
>> should be taken care of, ie fix rpcbind so that it uses a non random
>> port
>> and/or to bind to a specific interface.
> This has been bothering me so I just did some digging. rpcbind
> opening random ports is rather "misguided" but it appears that passing
> -s to rpcbind will cause it to drop it's privs and setuid down to
> "daemon", with the side-effect that it can't open the privileged ports
> anymore.
>
> (source: http://wiki.metawerx.net/wiki/setrpcrandomport)
this way uses dynamic library, and I use command option which insert
code to rpcbind.
I think our thought are same, but the complements are different.
indeed, rpcbind has two random ports:
one can be fixed by configure file.
the patch is to point at the other one.
Thanks,
LiWang.
>
> Ross
More information about the Openembedded-core
mailing list