Date: Tue, 2 Mar 2004 21:58:10 +0000 From: Bruce M Simpson <bms@spc.org> To: freebsd-security@FreeBSD.org Subject: [RELENG_4] Re: [PATCH] Force mountd(8) to a specified port. Message-ID: <20040302215810.GK7115@saboteur.dek.spc.org> In-Reply-To: <20040302211030.GJ7115@saboteur.dek.spc.org> References: <20040302211030.GJ7115@saboteur.dek.spc.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--X3gaHHMYHkYqP6yf
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
On Tue, Mar 02, 2004 at 09:10:30PM +0000, Bruce M Simpson wrote:
> As you are aware, RPC applications can be forced to listen on a known port
> through the sin/sa argument to bindresvport[_sa](). Why several Linux
> distributions have this feature yet none of the BSDs do is beyond me...
Here's a similar patch for RELENG_4. Please give me feedback.
Regards,
BMS
--X3gaHHMYHkYqP6yf
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="mountd-port-stable.diff"
? .mountd.c.rej.swp
Index: mountd.8
===================================================================
RCS file: /home/ncvs/src/sbin/mountd/Attic/mountd.8,v
retrieving revision 1.16.2.2
diff -u -r1.16.2.2 mountd.8
--- mountd.8 8 Dec 2000 14:04:02 -0000 1.16.2.2
+++ mountd.8 2 Mar 2004 21:56:11 -0000
@@ -43,6 +43,7 @@
.Sh SYNOPSIS
.Nm
.Op Fl 2dlnr
+.Op Fl p Ar port
.Op Ar exportsfile
.Sh DESCRIPTION
.Nm Mountd
@@ -76,6 +77,18 @@
that require it.
It will automatically clear the vfs.nfs.nfs_privport sysctl flag, which
controls if the kernel will accept NFS requests from reserved ports only.
+.It Fl p Ar port
+Force
+.Nm
+to bind to the specified port, for both
+.Vt AF_INET
+and
+.Vt AF_INET6
+address families.
+If
+.Nm
+cannot bind to this port, an appropriate error will be recorded in
+the system log, and the daemon will then exit.
.It Fl r
Allow mount RPCs requests for regular files to be served.
Although this seems to violate the mount protocol specification,
Index: mountd.c
===================================================================
RCS file: /home/ncvs/src/sbin/mountd/Attic/mountd.c,v
retrieving revision 1.39.2.5
diff -u -r1.39.2.5 mountd.c
--- mountd.c 13 Sep 2002 15:57:43 -0000 1.39.2.5
+++ mountd.c 2 Mar 2004 21:56:11 -0000
@@ -238,8 +238,12 @@
int argc;
char **argv;
{
+ struct sockaddr_in sin;
SVCXPRT *udptransp, *tcptransp;
+ char *endptr;
int c, error, mib[3];
+ int tcpsock, udpsock;
+ in_port_t svcport;
struct vfsconf vfc;
error = getvfsbyname("nfs", &vfc);
@@ -252,7 +256,7 @@
if (error)
errx(1, "NFS support is not available in the running kernel");
- while ((c = getopt(argc, argv, "2dlnr")) != -1)
+ while ((c = getopt(argc, argv, "2dlnp:r")) != -1)
switch (c) {
case '2':
force_v2 = 1;
@@ -269,6 +273,14 @@
case 'l':
log = 1;
break;
+ case 'p':
+ endptr = NULL;
+ svcport = (in_port_t)strtoul(optarg, &endptr, 10);
+ if (endptr == NULL || *endptr != '\0' ||
+ svcport < IPPORT_RESERVEDSTART ||
+ svcport >= 65535)
+ usage();
+ break;
default:
usage();
};
@@ -313,8 +325,24 @@
exit(1);
}
}
- if ((udptransp = svcudp_create(RPC_ANYSOCK)) == NULL ||
- (tcptransp = svctcp_create(RPC_ANYSOCK, 0, 0)) == NULL) {
+ if ((udpsock = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1 ||
+ (tcpsock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
+ syslog(LOG_ERR, "can't create socket");
+ exit(1);
+ }
+ if (svcport != 0) {
+ bzero(&sin, sizeof(struct sockaddr_in));
+ sin.sin_len = sizeof(struct sockaddr_in);
+ sin.sin_family = AF_INET;
+ sin.sin_port = htons(svcport);
+ if (bind(udpsock, (struct sockaddr *)&sin, sizeof(sin)) == -1 ||
+ bind(tcpsock, (struct sockaddr *)&sin, sizeof(sin)) == -1) {
+ syslog(LOG_ERR, "can't bind socket");
+ exit(1);
+ }
+ }
+ if ((udptransp = svcudp_create(udpsock)) == NULL ||
+ (tcptransp = svctcp_create(tcpsock, 0, 0)) == NULL) {
syslog(LOG_ERR, "can't create socket");
exit(1);
}
@@ -340,7 +368,8 @@
usage()
{
fprintf(stderr,
- "usage: mountd [-2] [-d] [-l] [-n] [-r] [export_file]\n");
+ "usage: mountd [-2] [-d] [-l] [-n] [-p <port>] [-r] "
+ "[export_file]\n");
exit(1);
}
--X3gaHHMYHkYqP6yf--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040302215810.GK7115>