Bug 1592883

Summary: rpcbind sometimes uses port 749/UDP, which breaks Kerberos admin and FreeIPA
Product: [Fedora] Fedora Reporter: Christian Heimes <cheimes>
Component: rpcbindAssignee: Steve Dickson <steved>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 28CC: rharwood, steved, tdudlak
Target Milestone: ---Keywords: Patch
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1595170 (view as bug list) Environment:
Last Closed: 2018-12-17 19:18:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1595170, 1644280    

Description Christian Heimes 2018-06-19 14:07:32 UTC 
Description of problem:
rpcbind uses a random UDP port between about 600/UDP and 1023/UDP. Sometimes rpcbind happens to use a UDP port that is required for Kerberos. In that case, Kerberos fails to start. FreeIPA's CI is running into the issue every now and then.

Version-Release number of selected component (if applicable):
rpcbind-0.2.4-8.rc3.fc27.x86_64

How reproducible:
rarely

Steps to Reproduce:
1. restart rpcbind a lot until it eventually uses 749/udp

Actual results:
kadmin fails to start

Jun 19 13:12:13 master.ipa.test kadmind[16427](info): setting up network...
kadmind: setsockopt(8,IPV6_V6ONLY,1) worked
kadmind: setsockopt(10,IPV6_V6ONLY,1) worked
kadmind: Address already in use - Cannot bind server socket on 0.0.0.0.749
Jun 19 13:12:13 master.ipa.test kadmind[16427](Error): Failed setting up a RPC socket (for 0.0.0.0.749)
kadmind: Address already in use - Error setting up network
Jun 19 13:13:13 master.ipa.test kadmind[17767](info): setting up network...
kadmind: setsockopt(8,IPV6_V6ONLY,1) worked
kadmind: setsockopt(10,IPV6_V6ONLY,1) worked
kadmind: Address already in use - Cannot bind server socket on 0.0.0.0.749
Jun 19 13:13:13 master.ipa.test kadmind[17767](Error): Failed setting up a RPC socket (for 0.0.0.0.749)
kadmind: Address already in use - Error setting up network


Expected results:
rpcbind never takes a Kerberos port

Additional info:
rpcbind should be more careful when it selects a random UDP port. I suggest that rpcbind never uses a UDP port that has been reserved for a service in /etc/services, e.g. with getservbyport(port, "udp"). See https://linux.die.net/man/3/getservbyport

The issue affects F27, F28, rawhide, and RHEL 7. RHEL 6 had portreserve but it's no longer available in RHEL 7.
Comment 2 Tibor Dudlák 2018-11-29 09:14:17 UTC 
Put to modified by mistake *sigh .
Comment 4 Steve Dickson 2018-12-17 19:13:50 UTC 
commit 0bc1c0ae7ce61a7ac8a8e9a9b2086268f011abf0 (HEAD -> covscan, origin/master, origin/HEAD, master)
Author: Steve Dickson <steved>
Date:   Tue Oct 9 09:19:50 2018 -0400

    rpcinfo: Fix stack buffer overflow
Comment 5 Steve Dickson 2018-12-17 19:18:23 UTC 
(In reply to Steve Dickson from comment #4)
> commit 0bc1c0ae7ce61a7ac8a8e9a9b2086268f011abf0 (HEAD -> covscan,
> origin/master, origin/HEAD, master)
> Author: Steve Dickson <steved>
> Date:   Tue Oct 9 09:19:50 2018 -0400
> 
>     rpcinfo: Fix stack buffer overflow

This is the wrong patch.... but the problem is fixed in
the latest release.