Red Hat Bugzilla – Bug 129733
Portmap can't be told only to bind to loopback interface
Last modified: 2016-09-07 00:48:41 EDT
Description of problem:
Most network-listening daemons in Fedora can be instructed to bind to
the loopback interface only. Portmap is an exception. This is a
particular problem on desktop installations where the file alteration
monitor (fam) needs portmap (on servers, one may simply remove portmap
if it isn't needed). FAM seems to be on the path to removal in the
next, or subsequent Fedora Core releases; but until then, I believe
that a modified portmap package should be shipped.
I've created a patch which adds a "-l" switch to portmap, instructing
it to bind 127.0.0.1 only. Also, I have changed the init-script to
look for a /etc/sysconfig/portmap script and honor whatever $OPTIONS
exist there, when starting the daemon; in addition, I have added a
/etc/sysconfig/portmap file consisting of one line: OPTIONS="-l"
This means that portmap will not listen on publicly exposed interfaces
by default, in line with other recent Fedora/Red Hat changes, such as
sendmail's default loopback-only behaviour (and X's ditto?). I know
that portmap access can be restricted, using hosts.allow/hosts.deny,
but that doesn't help much if a security bug is found in the code
initially accepting portmap trafic.
While messing with the portmap package, I also changed the initscript,
such that bug #99308 is closed.
My portmap patch, and other files for the altered portmap package, are
The portmap patch has been sent to the upstream project manager
I've tested the altered portmap package on my laptop, and
FAM-dependent applications seem to work well.
I suggest that an altered portmap package like the one proposed be
included in Fedora Core. If the Fedora Core developers think it's too
drastic not to have portmap listening on all interfaces by default,
then the default behaviour could be changed (although I don't
Version-Release number of selected component (if applicable):
Steps to Reproduce:
There is no way to make the current portmap daemon bind to 127.0.0.1
only. (Checked documentation and code.)
It probably does make sense to enable portmapper to only
listen on the lookback interface.
I have updated the files at
http://troels.arvin.dk/portmap-rpm-changes/ to include an adjusted man
page, as well.
This patch is in version -63
The option to make portmap listen on the loopback interface only is
now in Fedora Core 3, although the loopback-only isn't the default
behaviour (unfortunately). I'm closing this feature request.