From owner-freebsd-security Tue Oct 17 11:51:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from web110.yahoomail.com (web110.mail.yahoo.com [205.180.60.80]) by hub.freebsd.org (Postfix) with SMTP id 2DCF937B4E5 for ; Tue, 17 Oct 2000 11:51:40 -0700 (PDT) Received: (qmail 262 invoked by uid 60001); 17 Oct 2000 18:51:35 -0000 Message-ID: <20001017185135.261.qmail@web110.yahoomail.com> Received: from [209.247.40.201] by web110.yahoomail.com; Tue, 17 Oct 2000 11:51:35 PDT Date: Tue, 17 Oct 2000 11:51:35 -0700 (PDT) From: Guolin Cheng Subject: Reserved ports too limited for amd (automount) on FreeBSD 4.1 - bug created by security fix by Erez Zadok (1999-08-22 ) To: ezk@shekel.mcl.cs.columbia.edu, jch@BSDI.COM, freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org hi, all, I find a really troublesome problem with amd... Could you give some help on it? Problem Summary: amd(automount) problem on FreeBSD4.1 machine, due to limited Reserved ports (600-1023). an amd compiling (hidden?) switch/option is needed to diable using reserved ports by default, or we can set some configuration files to instruct amd not to use reserved ports? or we can have a patch file to correct this problem? Methods listed as the following were already taken and proved useless. 1) change kernel parameters (/etc/sysctl.conf, and/or sysctl -w command) to expand the range of reserved ports, but it lead to problems of rsh, rexec, rlogin,... which accepts connections from ports in range [512,1023]. 2) change IPPORT_RESERVED in /usr/src/sys/netinet/in.h and recompile the amd function, but now the new kernel can not run amd at all. I have to use old kernel. The following is some parts from file /usr/src/contrib/ChangeLog.. I really don't know why we ask amd function to use reserved ports by default?? ---------------------------------------------------------------- 1999-08-22 Erez Zadok * libamu/wire.c (getwire_lookup): correctly compute subnet using netmask. * libamu/mount_fs.c (compute_automounter_nfs_args): require that Amd's own NFS mounts use reserved ports (if possible). IP packet security fix from Jeffrey C Honig . * conf/transp/transp_tli.c (create_autofs_service): use correct autofs_port. IP packet security fix from Jeffrey C Honig . * conf/transp/transp_sockets.c (bindnfs_port): remove unnecessary function. IP packet security fix from Jeffrey C Honig . (create_nfs_service): use bind_resv_port() directly. ensure that privileged ports are used. IP packet security fix from Jeffrey C Honig . * amd/nfs_prot_svc.c (nfs_program_2): verify that requests come from reserved ports and from a local IP address. IP packet security fix from Jeffrey C Honig . * amd/amq_subr.c (ok_security): use IPPORT_RESERVED, instead of hard-coded 1024. IP packet security fix from Jeffrey C Honig . (amqproc_mount_1_svc): provide information on the caller making an amq -M request. IP packet security fix from Jeffrey C Honig . * amd/map.c (free_map_if_success): If the program doing an unmount of a program filesystem fails, amd tries to interpret the return code as an errno. Fix from Jeffrey C Honig . ------------------------------------------------------------------------------------- Any one can give us a help on how to revert to an old compatible version of amd, or how to correctly change the .c/.h files under amd directory? Yours sincerely, Guolin Cheng Guolin Cheng wrote in message news:<20001017162441.7770.qmail@web110.yahoomail.com>... > Doug Barton, > > Thanks. > > I already did the step, changed the IPPORT_RESERVED parameter in > /usr/src/sys/netinet/in.h and recompiled it, but the problem is: it aborted > when compiling! I have to use a old kernel. > > I want to know if there is a switch/option that we can set so that amd will > not use reserved ports by default, or if there are other versions of amd that > doesn't use reserved ports by default. Thanks. > > Your know, if we change the range of reserved ports, the R-commands (rsh, > rlogin, rexec..) will run into trouble, because R-daemons can only accept > connection requests using ports between 512 and 1023!!! too terrible! > > Yours sincerely, > > Guolin Cheng > > > --- Doug Barton wrote: > > On Mon, 16 Oct 2000, Guolin Cheng wrote: > > > > > Matt Heckaman, > > > > > > Thanks. > > > > > > I changed using sysctl command after FreeBSD 4.1 reboot, the problem is: > > even > > > the parameter is changed ( sysctl -w net.inet.ip.portrange.lowfirst=2023 ), > > the > > > amd still using ports <1024, since the reserved ports already was in use > > from > > > 1023! and now they will be used one by one sequentially!!! :(( > > > > Your problem is that by definition the secure port range ends at > > 1023. You _may_ be able to get what you want by changing IPPORT_RESERVED > > in /usr/src/sys/netinet/in.h and rebuilding your world and kernel, but > > it'd be a hack of potentially dangerous proportions. > > > > Doug > > -- > > "The dead cannot be seduced." > > - Kai, "Lexx" > > > > Do YOU Yahoo!? > > > > > > > ===== > With Best Regards. > > Guolin Cheng > Alexa Internet Company > Presidio of San Francisco, > San Francisco, CA 94129 > (415)561-6900 ext. 6021 > > __________________________________________________ > Do You Yahoo!? > Yahoo! Messenger - Talk while you surf! It's FREE. > http://im.yahoo.com/ > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > ===== With Best Regards. Guolin Cheng Alexa Internet Company Presidio of San Francisco, San Francisco, CA 94129 (415)561-6900 ext. 6021 __________________________________________________ Do You Yahoo!? Yahoo! Messenger - Talk while you surf! It's FREE. http://im.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message