On Sat, 20 Aug 2011, Adam Borowski <kilob...@angband.pl> wrote: > > It seems to me that the only problem is if you run multiple instances of > > a daemon on different ports and don't use /etc/bindresvport.blacklist, > > SE Linux, or some other method of telling bindresvport() to leave your > > port alone. That wouldn't be an issue of sysadmin freedom but sysadmin > > ignorance (and I am one of the people who was ignorant of > > bindresvport.blacklist). > > You can't blame "sysadmin ignorance". I've just grepped through every > single man page in Debian (ok, amd64 main), and there is not a single
Ignorance means not knowing. Sure there are probably some bug reports about man pages due, but it's still something you or I could have found out. apt-get source libc6 > No other daemon I know has this problem. If I install daemon foo, I can > expect it to not touch any ports it hasn't been configured to use. It's > just portmap/SunRPC that uses random scatter-shot that can trample on > something else. Yes, SunRPC and anything that opens a port for callback. > So what about this: let's reserve a number of ports for portmap's exclusive > usage[1]. There's like 900 unused assignments, so there's plenty of space > than could be parcelled off. SunRPC has long since degenerated from > something with a general purpose to a peculiarity of NFS, so not many ports > are needed. Only under a pathological configuration one could exceed any > reasonable static limit, and in that case bindresvport() would revert to > the blacklist+scattershot. The problem with this theory is the fact that the problem that was reported with CUPS only occurred after bindresvport() had used every port from 1023 down to 631. A casual scan of /etc/services reveals that there are no long contiguous ranges available without reserved ports. If you start at the top the common ports pop3s and imaps could be reached quite quickly. So it seems that some sort of blacklist is the only way to go. The idea of a .d directory for blacklist files such that every package installation that is likely to use some ports will automatically have a reservation is a good one. Of course there's still the corner case of trying to install CUPS (or some other daemon) after a long-running RPC service has grabbed the port. Maybe we should default to having ports such as 631, 993, 995, 873, 587, 636, 546, and 547 reserved at all times. From a quick scan of /etc/services they seem to be the most likely ports to be used in the 500-1024 range. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
