From owner-freebsd-bugs Thu Nov 4 9:50:46 1999 Delivered-To: freebsd-bugs@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 314F615828 for ; Thu, 4 Nov 1999 09:50:43 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id JAA47168; Thu, 4 Nov 1999 09:50:01 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id B6EDB14DED for ; Thu, 4 Nov 1999 09:40:01 -0800 (PST) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id MAA20940; Thu, 4 Nov 1999 12:42:38 -0500 (EST) (envelope-from cjc) Message-Id: <199911041742.MAA20940@cc942873-a.ewndsr1.nj.home.com> Date: Thu, 4 Nov 1999 12:42:38 -0500 (EST) From: "Crist J. Clark" Reply-To: cjc@cc942873-a.ewndsr1.nj.home.com To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: bin/14709: umountall requests possibly mishandled by mountd(8) Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 14709 >Category: bin >Synopsis: umountall requests possibly mishandled by mountd(8) >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Nov 4 09:50:00 PST 1999 >Closed-Date: >Last-Modified: >Originator: Crist J. Clark >Release: FreeBSD 3.3-STABLE i386 >Organization: >Environment: FreeBSD 3.x system with mountd(8) running. >Description: Several users have reported (search the -questions mail archive on the string 'umountall' for a sample) strange messages of the form, mountd[]: umountall request from from unprivileged port Where is an IP address of the host (not the loopback, however) appearing in their messages log. No events taking place on the server in question seems to correlate the the messages. I have been able to build a very strong correlation between the messages and other computers on the local network being shutdown (see the mail archives, http://www.freebsd.org/cgi/getmsg.cgi?fetch=1737357+1744288+/usr/local/www/db/text/1999/freebsd-questions/19991017.freebsd-questions for some examples from my personal logs). I believe that when machines broadcast their impending shutdown to the network, the mountd(8) process produces these messages. The messages worry me for two reasons, (1) The server is reporting a request from _itself_ rather than the machine in question. This means that the server is either spoofing itself (very bad) or is trying to talk to itself on an unpriviliged port and failing (why would it do that?). (2) The machine that generates the umountall need not actually have mounted a filesystem from the server. In fact, in the example I referenced above, only one of the machines that caused a message by going down actually had mounted anything from the server. This _seems_ to say that any machine on the LAN, regardless of permissions to mount, could possibly exploit any problems that this message may be hinting to. >How-To-Repeat: From my experience and a quick look over other emails on this topic, all you need is a FreeBSD 3.x machine running mountd(8), then bring another machine on the network down (there may be ways to generate the error by doing something less extreme than shutting down a second machine, but this is when I observe the messages without fail). >Fix: Origin of problem not yet understood. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message