Bug 129733 - Portmap can't be told only to bind to loopback interface
Summary: Portmap can't be told only to bind to loopback interface
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: portmap
Version: 2
Hardware: i686
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Steve Dickson
QA Contact:
URL: http://troels.arvin.dk/portmap-rpm-ch...
Whiteboard:
Depends On:
Blocks: 1366045
TreeView+ depends on / blocked
 
Reported: 2004-08-12 09:29 UTC by Troels Arvin
Modified: 2016-09-07 04:48 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2004-11-27 19:35:21 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Troels Arvin 2004-08-12 09:29:06 UTC
Description of problem:
Most network-listening daemons in Fedora can be instructed to bind to
the loopback interface only. Portmap is an exception. This is a
particular problem on desktop installations where the file alteration
monitor (fam) needs portmap (on servers, one may simply remove portmap
if it isn't needed). FAM seems to be on the path to removal in the
next, or subsequent Fedora Core releases; but until then, I believe
that a modified portmap package should be shipped.

I've created a patch which adds a "-l" switch to portmap, instructing
it to bind 127.0.0.1 only. Also, I have changed the init-script to
look for a /etc/sysconfig/portmap script and honor whatever $OPTIONS
exist there, when starting the daemon; in addition, I have added a
/etc/sysconfig/portmap file consisting of one line: OPTIONS="-l"
This means that portmap will not listen on publicly exposed interfaces
by default, in line with other recent Fedora/Red Hat changes, such as
sendmail's default loopback-only behaviour (and X's ditto?). I know
that portmap access can be restricted, using hosts.allow/hosts.deny,
but that doesn't help much if a security bug is found in the code
initially accepting portmap trafic.

While messing with the portmap package, I also changed the initscript,
such that bug #99308 is closed.

My portmap patch, and other files for the altered portmap package, are
here: http://troels.arvin.dk/portmap-rpm-changes/

The portmap patch has been sent to the upstream project manager
(Wietse Venema).

I've tested the altered portmap package on my laptop, and
FAM-dependent applications seem to work well.

I suggest that an altered portmap package like the one proposed be
included in Fedora Core. If the Fedora Core developers think it's too
drastic not to have portmap listening on all interfaces by default,
then the default behaviour could be changed (although I don't
recommend it).

Version-Release number of selected component (if applicable):
portmap-4.0-59

How reproducible:
Always

Steps to Reproduce:
There is no way to make the current portmap daemon bind to 127.0.0.1
only. (Checked documentation and code.)

Additional info:

Comment 1 Steve Dickson 2004-08-12 10:44:26 UTC
It probably does make sense to enable portmapper to only
listen on the lookback interface.

Comment 2 Troels Arvin 2004-08-12 14:35:58 UTC
I have updated the files at
http://troels.arvin.dk/portmap-rpm-changes/ to include an adjusted man
page, as well.

Comment 3 Steve Dickson 2004-08-12 18:59:25 UTC
This patch is in version -63

Comment 4 Troels Arvin 2004-11-27 19:35:21 UTC
The option to make portmap listen on the loopback interface only is
now in Fedora Core 3, although the loopback-only isn't the default
behaviour (unfortunately). I'm closing this feature request.


Note You need to log in before you can comment on or make changes to this bug.