Date: Tue, 17 Oct 2000 11:51:35 -0700 (PDT) From: Guolin Cheng <chenggl@yahoo.com> To: ezk@shekel.mcl.cs.columbia.edu, jch@BSDI.COM, freebsd-security@freebsd.org Subject: Reserved ports too limited for amd (automount) on FreeBSD 4.1 - bug created by security fix by Erez Zadok (1999-08-22 ) Message-ID: <20001017185135.261.qmail@web110.yahoomail.com>
next in thread | raw e-mail | index | archive | help
hi, all,
I find a really troublesome problem with amd... Could you give some help on it?
Problem Summary:
amd(automount) problem on FreeBSD4.1 machine, due to limited Reserved ports
(600-1023). an amd compiling (hidden?) switch/option is needed to diable using
reserved ports by default, or we can set some configuration files to instruct
amd not to use reserved ports? or we can have a patch file to correct this
problem?
Methods listed as the following were already taken and proved useless.
1) change kernel parameters (/etc/sysctl.conf, and/or sysctl -w command) to
expand the range of reserved ports, but it lead to problems of rsh, rexec,
rlogin,... which accepts connections from ports in range [512,1023].
2) change IPPORT_RESERVED in /usr/src/sys/netinet/in.h and recompile the amd
function, but now the new kernel can not run amd at all. I have to use old
kernel.
The following is some parts from file /usr/src/contrib/ChangeLog.. I really
don't know why we ask amd function to use reserved ports by default??
----------------------------------------------------------------
1999-08-22 Erez Zadok <ezk@shekel.mcl.cs.columbia.edu>
* libamu/wire.c (getwire_lookup): correctly compute subnet using
netmask.
* libamu/mount_fs.c (compute_automounter_nfs_args): require that
Amd's own NFS mounts use reserved ports (if possible). IP packet
security fix from Jeffrey C Honig <jch@BSDI.COM>.
* conf/transp/transp_tli.c (create_autofs_service): use correct
autofs_port. IP packet security fix from Jeffrey C Honig
<jch@BSDI.COM>.
* conf/transp/transp_sockets.c (bindnfs_port): remove unnecessary
function. IP packet security fix from Jeffrey C Honig
<jch@BSDI.COM>.
(create_nfs_service): use bind_resv_port() directly. ensure that
privileged ports are used. IP packet security fix from Jeffrey C
Honig <jch@BSDI.COM>.
* amd/nfs_prot_svc.c (nfs_program_2): verify that requests come
from reserved ports and from a local IP address. IP packet
security fix from Jeffrey C Honig <jch@BSDI.COM>.
* amd/amq_subr.c (ok_security): use IPPORT_RESERVED, instead of
hard-coded 1024. IP packet security fix from Jeffrey C Honig
<jch@BSDI.COM>.
(amqproc_mount_1_svc): provide information on the caller making an
amq -M request. IP packet security fix from Jeffrey C Honig
<jch@BSDI.COM>.
* amd/map.c (free_map_if_success): If the program doing an unmount
of a program filesystem fails, amd tries to interpret the return
code as an errno. Fix from Jeffrey C Honig <jch@BSDI.COM>.
-------------------------------------------------------------------------------------
Any one can give us a help on how to revert to an old compatible version of
amd, or how to correctly change the .c/.h files under amd directory?
Yours sincerely,
Guolin Cheng
Guolin Cheng <chenggl@yahoo.com> wrote in message
news:<20001017162441.7770.qmail@web110.yahoomail.com>...
> Doug Barton,
>
> Thanks.
>
> I already did the step, changed the IPPORT_RESERVED parameter in
> /usr/src/sys/netinet/in.h and recompiled it, but the problem is: it aborted
> when compiling! I have to use a old kernel.
>
> I want to know if there is a switch/option that we can set so that amd will
> not use reserved ports by default, or if there are other versions of amd that
> doesn't use reserved ports by default. Thanks.
>
> Your know, if we change the range of reserved ports, the R-commands (rsh,
> rlogin, rexec..) will run into trouble, because R-daemons can only accept
> connection requests using ports between 512 and 1023!!! too terrible!
>
> Yours sincerely,
>
> Guolin Cheng
>
>
> --- Doug Barton <DougB@gorean.org> wrote:
> > On Mon, 16 Oct 2000, Guolin Cheng wrote:
> >
> > > Matt Heckaman,
> > >
> > > Thanks.
> > >
> > > I changed using sysctl command after FreeBSD 4.1 reboot, the problem is:
> > even
> > > the parameter is changed ( sysctl -w net.inet.ip.portrange.lowfirst=2023
),
> > the
> > > amd still using ports <1024, since the reserved ports already was in use
> > from
> > > 1023! and now they will be used one by one sequentially!!! :((
> >
> > Your problem is that by definition the secure port range ends at
> > 1023. You _may_ be able to get what you want by changing IPPORT_RESERVED
> > in /usr/src/sys/netinet/in.h and rebuilding your world and kernel, but
> > it'd be a hack of potentially dangerous proportions.
> >
> > Doug
> > --
> > "The dead cannot be seduced."
> > - Kai, "Lexx"
> >
> > Do YOU Yahoo!?
> >
> >
>
>
> =====
> With Best Regards.
>
> Guolin Cheng
> Alexa Internet Company
> Presidio of San Francisco,
> San Francisco, CA 94129
> (415)561-6900 ext. 6021
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Messenger - Talk while you surf! It's FREE.
> http://im.yahoo.com/
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
>
=====
With Best Regards.
Guolin Cheng
Alexa Internet Company
Presidio of San Francisco,
San Francisco, CA 94129
(415)561-6900 ext. 6021
__________________________________________________
Do You Yahoo!?
Yahoo! Messenger - Talk while you surf! It's FREE.
http://im.yahoo.com/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001017185135.261.qmail>