Bug 129733 - Portmap can't be told only to bind to loopback interface
Portmap can't be told only to bind to loopback interface
Product: Fedora
Classification: Fedora
Component: portmap (Show other bugs)
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Steve Dickson
: FutureFeature
Depends On:
Blocks: 1366045
  Show dependency treegraph
Reported: 2004-08-12 05:29 EDT by Troels Arvin
Modified: 2016-09-07 00:48 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-11-27 14:35:21 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Troels Arvin 2004-08-12 05:29:06 EDT
Description of problem:
Most network-listening daemons in Fedora can be instructed to bind to
the loopback interface only. Portmap is an exception. This is a
particular problem on desktop installations where the file alteration
monitor (fam) needs portmap (on servers, one may simply remove portmap
if it isn't needed). FAM seems to be on the path to removal in the
next, or subsequent Fedora Core releases; but until then, I believe
that a modified portmap package should be shipped.

I've created a patch which adds a "-l" switch to portmap, instructing
it to bind only. Also, I have changed the init-script to
look for a /etc/sysconfig/portmap script and honor whatever $OPTIONS
exist there, when starting the daemon; in addition, I have added a
/etc/sysconfig/portmap file consisting of one line: OPTIONS="-l"
This means that portmap will not listen on publicly exposed interfaces
by default, in line with other recent Fedora/Red Hat changes, such as
sendmail's default loopback-only behaviour (and X's ditto?). I know
that portmap access can be restricted, using hosts.allow/hosts.deny,
but that doesn't help much if a security bug is found in the code
initially accepting portmap trafic.

While messing with the portmap package, I also changed the initscript,
such that bug #99308 is closed.

My portmap patch, and other files for the altered portmap package, are
here: http://troels.arvin.dk/portmap-rpm-changes/

The portmap patch has been sent to the upstream project manager
(Wietse Venema).

I've tested the altered portmap package on my laptop, and
FAM-dependent applications seem to work well.

I suggest that an altered portmap package like the one proposed be
included in Fedora Core. If the Fedora Core developers think it's too
drastic not to have portmap listening on all interfaces by default,
then the default behaviour could be changed (although I don't
recommend it).

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
There is no way to make the current portmap daemon bind to
only. (Checked documentation and code.)

Additional info:
Comment 1 Steve Dickson 2004-08-12 06:44:26 EDT
It probably does make sense to enable portmapper to only
listen on the lookback interface.
Comment 2 Troels Arvin 2004-08-12 10:35:58 EDT
I have updated the files at
http://troels.arvin.dk/portmap-rpm-changes/ to include an adjusted man
page, as well.
Comment 3 Steve Dickson 2004-08-12 14:59:25 EDT
This patch is in version -63
Comment 4 Troels Arvin 2004-11-27 14:35:21 EST
The option to make portmap listen on the loopback interface only is
now in Fedora Core 3, although the loopback-only isn't the default
behaviour (unfortunately). I'm closing this feature request.

Note You need to log in before you can comment on or make changes to this bug.