Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
DescriptionRoberto Bergantinos
2020-11-12 11:22:52 UTC
Description of problem:
rpcbind is not built anymore with libwrap since tcp wrappers are gone on RHEL8 :
[root@rhel8 ~]# rpm -qa rpcbind
rpcbind-1.2.5-7.el8.x86_64
[root@rhel8 ~]# ldd /usr/sbin/rpcbind | grep -i wrap
[root@rhel8 ~]#
This produces a side effect when logging non-allowed CALLIT calls, i.e. for mountd
285 int
286 check_callit(SVCXPRT *xprt, struct r_rmtcall_args *args, int versnum /*__unused*/)
...
308 case MOUNTPROG:
309 if (args->rmt_proc != MOUNTPROC_MNT &&
310 args->rmt_proc != MOUNTPROC_UMNT)
311 break;
312 goto deny;
...
354 #ifdef LIBWRAP
355 logit(deny_severity, sa, args->rmt_proc, args->rmt_prog,
356 ": indirect call not allowed");
357 #else
358 logit(0, sa, args->rmt_proc, args->rmt_prog,
359 ": indirect call not allowed"); <<--- on RHEL8 we go through here
will cause a broadcast message :
Broadcast message from systemd-journald@rhel8 (Thu 2020-11-12 11:56:24 CET):
rpcbind[30949]: connect from 172.23.1.247 to set(mountd): indirect call not allowed
This can be annoying and have been seen on field, getting worst if client retries the call.
On RHEL7, due to libwrap being still around, it will cause a more silent auth.warning message.
Since we are not allowing the operation to proceed anyway, an emerg-prio message seems
a bit of a overnotification.
We can maybe downgrade the priority of these messages, i.e. :
diff --git a/src/security.c b/src/security.c
index 329c53d..38967dd 100644
--- a/src/security.c
+++ b/src/security.c
@@ -346,7 +346,7 @@ deny:
logit(deny_severity, sa, args->rmt_proc, args->rmt_prog,
": indirect call not allowed");
#else
- logit(0, sa, args->rmt_proc, args->rmt_prog,
+ logit(LOG_AUTH|LOG_WARNING, sa, args->rmt_proc, args->rmt_prog,
": indirect call not allowed");
#endif
return 0;
simple rpc client for reproducer :
#include <stdlib.h>
#include <rpc/rpc.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>
#define MOUNTD_PROGRAM 100005
#define MOUNTD_VER 1
#define MOUNT_PROC 1
static bool_t eachresp(char *out, struct sockaddr_in *addr)
{
struct hostent *sender;
if (addr) {
sender = gethostbyaddr(&addr->sin_addr, sizeof(addr->sin_addr), AF_INET);
if (sender)
printf("Received reply from host %s\n", sender->h_name);
else
printf("Could not resolve address\n");
}
else
printf("No answer\n");
}
void main()
{
enum clnt_stat status;
status = clnt_broadcast(MOUNTD_PROGRAM, MOUNTD_VER, MOUNT_PROC,
(xdrproc_t) xdr_void, NULL, (xdrproc_t) xdr_void, NULL,
eachresp);
if (status != RPC_SUCCESS){
clnt_perrno(status);
exit(-1);
}
}
Version-Release number of selected component (if applicable): RHEL8/upstream
How reproducible: 100%
Steps to Reproduce:
1. compile C code from above, run on any host
2. any RHEL8 rpcbind on same subnet will produce the broadcast message
3.
Actual results: broadcast message
Expected results: more quiet message
Additional info:
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (rpcbind bug fix and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2021:1665
Description of problem: rpcbind is not built anymore with libwrap since tcp wrappers are gone on RHEL8 : [root@rhel8 ~]# rpm -qa rpcbind rpcbind-1.2.5-7.el8.x86_64 [root@rhel8 ~]# ldd /usr/sbin/rpcbind | grep -i wrap [root@rhel8 ~]# This produces a side effect when logging non-allowed CALLIT calls, i.e. for mountd 285 int 286 check_callit(SVCXPRT *xprt, struct r_rmtcall_args *args, int versnum /*__unused*/) ... 308 case MOUNTPROG: 309 if (args->rmt_proc != MOUNTPROC_MNT && 310 args->rmt_proc != MOUNTPROC_UMNT) 311 break; 312 goto deny; ... 354 #ifdef LIBWRAP 355 logit(deny_severity, sa, args->rmt_proc, args->rmt_prog, 356 ": indirect call not allowed"); 357 #else 358 logit(0, sa, args->rmt_proc, args->rmt_prog, 359 ": indirect call not allowed"); <<--- on RHEL8 we go through here will cause a broadcast message : Broadcast message from systemd-journald@rhel8 (Thu 2020-11-12 11:56:24 CET): rpcbind[30949]: connect from 172.23.1.247 to set(mountd): indirect call not allowed This can be annoying and have been seen on field, getting worst if client retries the call. On RHEL7, due to libwrap being still around, it will cause a more silent auth.warning message. Since we are not allowing the operation to proceed anyway, an emerg-prio message seems a bit of a overnotification. We can maybe downgrade the priority of these messages, i.e. : diff --git a/src/security.c b/src/security.c index 329c53d..38967dd 100644 --- a/src/security.c +++ b/src/security.c @@ -346,7 +346,7 @@ deny: logit(deny_severity, sa, args->rmt_proc, args->rmt_prog, ": indirect call not allowed"); #else - logit(0, sa, args->rmt_proc, args->rmt_prog, + logit(LOG_AUTH|LOG_WARNING, sa, args->rmt_proc, args->rmt_prog, ": indirect call not allowed"); #endif return 0; simple rpc client for reproducer : #include <stdlib.h> #include <rpc/rpc.h> #include <netdb.h> #include <netinet/in.h> #include <sys/socket.h> #define MOUNTD_PROGRAM 100005 #define MOUNTD_VER 1 #define MOUNT_PROC 1 static bool_t eachresp(char *out, struct sockaddr_in *addr) { struct hostent *sender; if (addr) { sender = gethostbyaddr(&addr->sin_addr, sizeof(addr->sin_addr), AF_INET); if (sender) printf("Received reply from host %s\n", sender->h_name); else printf("Could not resolve address\n"); } else printf("No answer\n"); } void main() { enum clnt_stat status; status = clnt_broadcast(MOUNTD_PROGRAM, MOUNTD_VER, MOUNT_PROC, (xdrproc_t) xdr_void, NULL, (xdrproc_t) xdr_void, NULL, eachresp); if (status != RPC_SUCCESS){ clnt_perrno(status); exit(-1); } } Version-Release number of selected component (if applicable): RHEL8/upstream How reproducible: 100% Steps to Reproduce: 1. compile C code from above, run on any host 2. any RHEL8 rpcbind on same subnet will produce the broadcast message 3. Actual results: broadcast message Expected results: more quiet message Additional info: