[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
Re: The annual setuid question.
- Subject: Re: The annual setuid question.
- Date: Wed, 27 Jan 1999 13:55:04 -0700
> Thanks for the tutorial! We are facing another issue, namely the
> pending installation of a firewall which will be blocking all rpc
> calls on privileged ports. I could get an exception to this rule, but
> it is probably easier to just have the ldm running on an unprivileged
> port. We run portmap anyway, so this is no additional risk. By the
> way, if privileged ports are blocked, will an off-campus machine
> be able to make initial contact? If not, I guess I will have to get
> my exception put into the firewall.
>
> Regards,
>
> Dave
Just to clarify, ip ports less than port number 1023 are
referred to as "reserved". I've been calling this "privileged",
because that's what it really means.
Here is what /usr/include/netinet/in.h says:
/*
* Local port number conventions:
* Ports < IPPORT_RESERVED are reserved for
* privileged processes (e.g. root).
* Ports > 5000 used to be reserved for non-root servers,
* but this convention can no longer be used with large scale systems.
* All well-known ports should be registered with the Internet Assigned
* Numbers Authority.
*/
#define IPPORT_RESERVED 1024
The portmapper program is called 'portmap' on some systems and
'rpcbind' on more recent implementation. (The 'rpcbind' implementation
can be configured to be somewhat more secure.) This program is
server that converts RPC program numbers into ip port numbers.
The portmapper itself operates on a reserved port, 111.
Typically, when people set up firewalls, they block connections to
the portmappper _and_ well known rpc services, such as nfs,
which operate on fixed ip ports.
If this is what your site is doing, you _must_ run the ldm on it's
well known port (rpc.ldmd setuid root). Otherwise, there is no way
for outside sites to find your ldm service.
Your firewall adminstrator may also block _all_ ip services on
reserved ports, and then open up services selectively. FTP
to this host, telnet to these hosts, and so on. If this is
the case, you will have to ask that connections to port 388 be
allowed to your ldm machine. You don't have to mention that
the ldm is an rpc service, this tends to confuse the issue.
When running on port 388, technically the ldm is an ip service
that uses RPC protocol encoding. If it _required_ the portmapper
(which it doesn't), we would say it was an RPC service.
-glenn
