Bug 1592883 - rpcbind sometimes uses port 749/UDP, which breaks Kerberos admin and FreeIPA
Summary: rpcbind sometimes uses port 749/UDP, which breaks Kerberos admin and FreeIPA
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: rpcbind
Version: 28
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Steve Dickson
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1595170 1644280
TreeView+ depends on / blocked
 
Reported: 2018-06-19 14:07 UTC by Christian Heimes
Modified: 2018-12-17 19:18 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1595170 (view as bug list)
Environment:
Last Closed: 2018-12-17 19:18:23 UTC
Type: Bug


Attachments (Terms of Use)

Description Christian Heimes 2018-06-19 14:07:32 UTC
Description of problem:
rpcbind uses a random UDP port between about 600/UDP and 1023/UDP. Sometimes rpcbind happens to use a UDP port that is required for Kerberos. In that case, Kerberos fails to start. FreeIPA's CI is running into the issue every now and then.

Version-Release number of selected component (if applicable):
rpcbind-0.2.4-8.rc3.fc27.x86_64

How reproducible:
rarely

Steps to Reproduce:
1. restart rpcbind a lot until it eventually uses 749/udp

Actual results:
kadmin fails to start

Jun 19 13:12:13 master.ipa.test kadmind[16427](info): setting up network...
kadmind: setsockopt(8,IPV6_V6ONLY,1) worked
kadmind: setsockopt(10,IPV6_V6ONLY,1) worked
kadmind: Address already in use - Cannot bind server socket on 0.0.0.0.749
Jun 19 13:12:13 master.ipa.test kadmind[16427](Error): Failed setting up a RPC socket (for 0.0.0.0.749)
kadmind: Address already in use - Error setting up network
Jun 19 13:13:13 master.ipa.test kadmind[17767](info): setting up network...
kadmind: setsockopt(8,IPV6_V6ONLY,1) worked
kadmind: setsockopt(10,IPV6_V6ONLY,1) worked
kadmind: Address already in use - Cannot bind server socket on 0.0.0.0.749
Jun 19 13:13:13 master.ipa.test kadmind[17767](Error): Failed setting up a RPC socket (for 0.0.0.0.749)
kadmind: Address already in use - Error setting up network


Expected results:
rpcbind never takes a Kerberos port

Additional info:
rpcbind should be more careful when it selects a random UDP port. I suggest that rpcbind never uses a UDP port that has been reserved for a service in /etc/services, e.g. with getservbyport(port, "udp"). See https://linux.die.net/man/3/getservbyport

The issue affects F27, F28, rawhide, and RHEL 7. RHEL 6 had portreserve but it's no longer available in RHEL 7.

Comment 2 Tibor Dudlák 2018-11-29 09:14:17 UTC
Put to modified by mistake *sigh .

Comment 4 Steve Dickson 2018-12-17 19:13:50 UTC
commit 0bc1c0ae7ce61a7ac8a8e9a9b2086268f011abf0 (HEAD -> covscan, origin/master, origin/HEAD, master)
Author: Steve Dickson <steved@redhat.com>
Date:   Tue Oct 9 09:19:50 2018 -0400

    rpcinfo: Fix stack buffer overflow

Comment 5 Steve Dickson 2018-12-17 19:18:23 UTC
(In reply to Steve Dickson from comment #4)
> commit 0bc1c0ae7ce61a7ac8a8e9a9b2086268f011abf0 (HEAD -> covscan,
> origin/master, origin/HEAD, master)
> Author: Steve Dickson <steved@redhat.com>
> Date:   Tue Oct 9 09:19:50 2018 -0400
> 
>     rpcinfo: Fix stack buffer overflow

This is the wrong patch.... but the problem is fixed in
the latest release.


Note You need to log in before you can comment on or make changes to this bug.