Bug 731542
Summary: | rpcbind without -i restricts set/unset to root user on localhost, so pmap_set fails for non-root users unless -i is used | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Steve Dickson <steved> |
Component: | rpcbind | Assignee: | Steve Dickson <steved> |
Status: | CLOSED ERRATA | QA Contact: | Eryu Guan <eguan> |
Severity: | urgent | Docs Contact: | |
Priority: | urgent | ||
Version: | 6.3 | CC: | aschorr, chad, dkwon, eguan, fister1, james.brown, jiyin, jlyle, jocarter, jsvarova, kzhang, nkim, orion, rdassen, redhat, rwheeler, steved, yanwang |
Target Milestone: | rc | Keywords: | Reopened, ZStream |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | rpcbind-0.2.0-10.el6 | Doc Type: | Bug Fix |
Doc Text: |
Previously, in the insecure mode, which enables non-root users to set or unset ports, a privileged port was required. As only root users can obtain a privileged port, non-root users could not set or unset ports. To fix this bug, the privileged port has been removed, and thus non-root users are now allowed to set or unset ports on the loopback interface.
|
Story Points: | --- |
Clone Of: | 481422 | Environment: | |
Last Closed: | 2013-02-21 07:55:15 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 481422 | ||
Bug Blocks: | 767187, 782183, 840683, 858572, 858573 |
Description
Steve Dickson
2011-08-17 20:27:49 UTC
Note for RPC users: This code for a non-super user application to register as a RPC service provider worked in Red Hat Enterprise Linux 5.4: SVCXPRT *transp = svctcp_create(RPC_ANYSOCK, 0, 0); svc_register(transp, prog, vers, callback, IPPROTO_TCP); but gives this error in RHEL 6.1 and Fedora 15: Cannot register service: RPC: Authentication error; why = Client credential too weak A program generated with rpcgen will also get this error. This problem was introduced when portmapper was replaced with rpcbind in Red Hat 6. The error message and the rpcbind man page sent me trying to change TCP wrapper configuration and use gss rpc. But only the rpcbind -i option works. Either Andy's change to the rpcbind man page should be made: In the absence of the -i option, calls are accepted only from privileged ports via the loopback interface. Or some form of Andy's change to rpcbind options should be made to allow non-super user applications to register an RPC service from the local host. This issue should be documented in the release notes. I can not use rpcbind -i because of poor security so need to recode my application to not use RPC. Our environment has been impacted by this issue as well. We're a university lab, with at least one class that uses RPC programming as a student exercise. For the obvious security reasons, we'd like to be able to allow non-root set/unset for student code, while still restricting them to localhost. The earlier patch sounds like exactly what we need, though it appears never to have been accepted. For whatever it's worth, there seems to be a simpler and undocumented patch for this in Fedora 16. It removes the port number check in security.c:is_loopback(). It's a shame that my patch hasn't been accepted, but this gets the job done for now. Regards, Andy (In reply to comment #9) > For whatever it's worth, there seems to be a simpler and undocumented patch > for this in Fedora 16. It removes the port number check in > security.c:is_loopback(). > > It's a shame that my patch hasn't been accepted, but this gets the job done > for now. Is this the patch you are talking about? I think this upstream patch is what you are looking for commit 1d9fba5b631b517094c85a80f45f6f7ba1665e2a Author: Olaf Kirch <okir> Date: Wed Mar 16 14:19:37 2011 -0400 Make is_loopback check more permissive This patch relaxes the is_loopback() check to its original meaning; i.e. verify that the caller is local. We no longer check whether the source port is privileged, for a number of reasons. 1) The existing check did not allow *any* non-root program to register a services via UDP or TCP transport. It did however allow *any* registration when using the AF_LOCAL transport. 2) Unregistration of services is only possible if the caller has the same "user name", i.e. "superuser" for root (when connecting through AF_LOCAL sockets, or when using pmap_set with a privileged port) numeric uid for non-root users when connecting through AF_LOCAL sockets "unknown" for all other users This seems safe enough to allow the removal of the privileged port check in is_localhost. Signed-off-by: Olaf Kirch <okir> Signed-off-by: Steve Dickson <steved> diff --git a/src/security.c b/src/security.c index 07c8933..d272f74 100644 --- a/src/security.c +++ b/src/security.c @@ -138,8 +138,7 @@ is_loopback(struct netbuf *nbuf) "Checking caller's adress (port = %d)\n", ntohs(sin->sin_port)); #endif - return ((sin->sin_addr.s_addr == htonl(INADDR_LOOPBACK)) && - (ntohs(sin->sin_port) < IPPORT_RESERVED)); + return (sin->sin_addr.s_addr == htonl(INADDR_LOOPBACK)); #ifdef INET6 case AF_INET6: if (!oldstyle_local) @@ -151,10 +150,9 @@ is_loopback(struct netbuf *nbuf) "Checking caller's adress (port = %d)\n", ntohs(sin6->sin6_port)); #endif - return ((IN6_IS_ADDR_LOOPBACK(&sin6->sin6_addr) || + return (IN6_IS_ADDR_LOOPBACK(&sin6->sin6_addr) || (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr) && - sin6->sin6_addr.s6_addr32[3] == htonl(INADDR_LOOPBACK) - (ntohs(sin6->sin6_port) < IPV6PORT_RESERVED)); + sin6->sin6_addr.s6_addr32[3] == htonl(INADDR_LOOPBACK) #endif case AF_LOCAL: return 1; *** Bug 717922 has been marked as a duplicate of this bug. *** Reproduced with rpcbind-0.2.0-9.el6, non-root user couldn't register service [root@fstest rpcbind]# su gery -c "rpc_issue/test_server" Cannot register service: RPC: Authentication error; why = Client credential too weak unable to register (PROG1, PROG_VERS, udp). Verified with rpcbind-0.2.0-11.el6 [root@fstest rpcbind]# su gery -c "rpc_issue/test_server" server received: 5 # On another terminal [root@fstest rpc_issue]# su gery -c "./test_client localhost" client received: 10 Test program is from bug 717922 comment 0 Set VERIFIED Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0291.html |