Skip Menu |
 

Date: Wed, 15 Aug 2007 14:55:25 -0400
From: Ezra Peisach <epeisach@bu.edu>
To: krb5-bugs@mit.edu
Subject: FC7 failure in testsuite - rpc binding
In Fedora 7 - portmap has been replaced with rpcbind. They are using
the tirpc libraries.

rpcbind will by default reject set & unset requests unless the client
uses a local socket in /var/run/rpcbind.sock.

It is possible to instruct rpcbind to explicitly allow the loopback
device, but this is not
the default configuration.

I believe pmap_set() and pmap_unset() in the krb5 rpc library needs to
detect and attempt to use the socket if possible...

I will investigate....

Ezra
From: Ken Raeburn <raeburn@MIT.EDU>
Subject: Re: [krbdev.mit.edu #5652] FC7 failure in testsuite - rpc binding
Date: Wed, 15 Aug 2007 21:19:35 -0400
To: rt@krbdev.mit.edu
RT-Send-Cc:
On Aug 15, 2007, at 21:11, Ezra Peisach via RT wrote:
Show quoted text
> In Fedora 7 - portmap has been replaced with rpcbind. They are using
> the tirpc libraries.
>
> rpcbind will by default reject set & unset requests unless the client
> uses a local socket in /var/run/rpcbind.sock.

I think the Mac OS X portmapper, as started from launchd, also
expects this behavior. It will accept registrations via loopback
once launched, but I don't think attempts to register via loopback
will cause launchd to start it.

Show quoted text
> I will investigate....

Thanks.

Ken
Subject: lib/rpc should have way to register with secure rpcbind using unix domain socket
Under fedora 10 and other OS's - portmap has been replaced by rpcbind.

Security considerations have "improved" - requiring a loopback socket
and a reserved port (<1024) unless certain flags are given.

Looking at the sources for rpcbind - there is now support for a unix
domain socket connection - which is known to be local - and does not
therefore require a reserved port.

Either the rpc layer should be replaced with a newer implementation or
the library could be shoehorned to attempt to use a unix domain socket
if present.