[Desktop-packages] [Bug 304393] Re: rpcbind grabs ports used by other daemons such as cupsd
** Changed in: fedora Status: Confirmed => Won't Fix -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/304393 Title: rpcbind grabs ports used by other daemons such as cupsd Status in cups package in Ubuntu: Invalid Status in rpcbind package in Ubuntu: Fix Released Status in rpcbind source package in Xenial: Fix Released Status in rpcbind source package in Bionic: Fix Released Status in rpcbind package in Debian: Fix Released Status in Fedora: Won't Fix Bug description: [impact] rpcbind binds to a 'random' reserved port at startup, which can conflict with the reserved port number for other applications that actually 'own' the reserved port number. One example is cups, which uses the reserved port 631. This prevents the actual 'owner' of the reserved port from starting, since it can't bind to its reserved port. Additionally, this can raise alarms from security monitoring software that does not expect programs to be listening on random reserved ports. [test case] start rpcbind and check which ports it is listening on, e.g.: $ sudo netstat --inet -p -l | grep rpcbind | grep -v sunrpc udp0 0 0.0.0.0:614 0.0.0.0:* 4678/rpcbind each time rpcbind is restarted, it will be listening to a different 'random' port. [regression potential] this adds a way to disable rpcbind from listening to the 'random' port. any regression would likely prevent rpcbind from starting, or may cause problems with the interaction between rpcinfo and rpcbind, as rpcinfo may use the random reserved port in some cases, as detailed in the Debian bug. [scope] This is needed only for Bionic and earlier. In Focal and later, and in Debian, rpcbind defaults to not opening the random reserved port. The admin can use the -r parameter to cause rpcbind to restore the old behavior of opening the random reserved port. [other info] Note that the -r parameter is a Debian addition, and the upstream rpcbind has disabled the random port functionality at build time; there is no runtime parameter to allow the admin to choose the behavior. Also, as discussed in the Debian bug, disabling this rpcbind 'feature' is known to cause problems for the rpcinfo program, which is why Debian introduced the -r parameter. So, when this -r parameter is backported to Bionic and earlier, we must retain the default behavior for those releases, which is for rpcbind to open the random reserved port. Thus, the patch for this will first backport the upstream patch that adds functionality to be able to disable the 'remote calls' function, and also backports the debian patch to change that from a compile-time to run-time option. Then, another patch is added, which changes the default back to the behavior of x/b, which is for remote calls to be enabled by default, and also adds a check for the existence of an environment variable "RPCBIND_RMTCALL_DEFAULT_DISABLED" which, if defined (to anything), will change the default to disabled. This allows 1) retaining the existing default behavior of rpcbind in x and b, while also 2) providing a mechanism to change that default for anyone who does *not* want remote calls to be enabled, and 3) allowing the mechanism to change the default to remain in place after an upgrade to Focal. Using the environment variable allows anyone to disable the remote calls in x and/or b, and then upgrade to Focal without breaking rpcbind or needing to remove the env var. After the upgrade to Focal, the environment variable (defined in /etc/default/rpcbind and/or /etc/rpcbind.conf) will simply be ignored without any change needed to the rpcbind package in Focal or later. [original description] Binary package hint: cups cups 1.3.9-2ubuntu4 From /var/log/cups/error_log: cups: unable to bind socket for address 127.0.0.1:631 - Address already in use. Nothing actually looks wrong. 127.0.0.1:631 is only in use by cupsd when started. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/304393/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 304393] Re: rpcbind grabs ports used by other daemons such as cupsd
This bug was fixed in the package rpcbind - 0.2.3-0.2ubuntu0.16.04.1 --- rpcbind (0.2.3-0.2ubuntu0.16.04.1) xenial; urgency=medium * d/rules, d/control: - Add dh-autoreconf build-dep and force dh_autoreconf to fix FTBFS (LP: #1885389) * d/p/lp304393/0001-rpcbind-Disable-remote-calls-by-default.patch, d/p/lp304393/0002-rmt-calls.patch, d/p/lp304393/0003-change-rmtcalls-default-to-enabled.patch: - Allow disabling rmtcalls port binding (LP: #304393) -- Dan Streetman Mon, 10 Aug 2020 11:05:43 -0400 ** Changed in: rpcbind (Ubuntu Xenial) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/304393 Title: rpcbind grabs ports used by other daemons such as cupsd Status in cups package in Ubuntu: Invalid Status in rpcbind package in Ubuntu: Fix Released Status in rpcbind source package in Xenial: Fix Released Status in rpcbind source package in Bionic: Fix Released Status in rpcbind package in Debian: Fix Released Status in Fedora: Confirmed Bug description: [impact] rpcbind binds to a 'random' reserved port at startup, which can conflict with the reserved port number for other applications that actually 'own' the reserved port number. One example is cups, which uses the reserved port 631. This prevents the actual 'owner' of the reserved port from starting, since it can't bind to its reserved port. Additionally, this can raise alarms from security monitoring software that does not expect programs to be listening on random reserved ports. [test case] start rpcbind and check which ports it is listening on, e.g.: $ sudo netstat --inet -p -l | grep rpcbind | grep -v sunrpc udp0 0 0.0.0.0:614 0.0.0.0:* 4678/rpcbind each time rpcbind is restarted, it will be listening to a different 'random' port. [regression potential] this adds a way to disable rpcbind from listening to the 'random' port. any regression would likely prevent rpcbind from starting, or may cause problems with the interaction between rpcinfo and rpcbind, as rpcinfo may use the random reserved port in some cases, as detailed in the Debian bug. [scope] This is needed only for Bionic and earlier. In Focal and later, and in Debian, rpcbind defaults to not opening the random reserved port. The admin can use the -r parameter to cause rpcbind to restore the old behavior of opening the random reserved port. [other info] Note that the -r parameter is a Debian addition, and the upstream rpcbind has disabled the random port functionality at build time; there is no runtime parameter to allow the admin to choose the behavior. Also, as discussed in the Debian bug, disabling this rpcbind 'feature' is known to cause problems for the rpcinfo program, which is why Debian introduced the -r parameter. So, when this -r parameter is backported to Bionic and earlier, we must retain the default behavior for those releases, which is for rpcbind to open the random reserved port. Thus, the patch for this will first backport the upstream patch that adds functionality to be able to disable the 'remote calls' function, and also backports the debian patch to change that from a compile-time to run-time option. Then, another patch is added, which changes the default back to the behavior of x/b, which is for remote calls to be enabled by default, and also adds a check for the existence of an environment variable "RPCBIND_RMTCALL_DEFAULT_DISABLED" which, if defined (to anything), will change the default to disabled. This allows 1) retaining the existing default behavior of rpcbind in x and b, while also 2) providing a mechanism to change that default for anyone who does *not* want remote calls to be enabled, and 3) allowing the mechanism to change the default to remain in place after an upgrade to Focal. Using the environment variable allows anyone to disable the remote calls in x and/or b, and then upgrade to Focal without breaking rpcbind or needing to remove the env var. After the upgrade to Focal, the environment variable (defined in /etc/default/rpcbind and/or /etc/rpcbind.conf) will simply be ignored without any change needed to the rpcbind package in Focal or later. [original description] Binary package hint: cups cups 1.3.9-2ubuntu4 From /var/log/cups/error_log: cups: unable to bind socket for address 127.0.0.1:631 - Address already in use. Nothing actually looks wrong. 127.0.0.1:631 is only in use by cupsd when started. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/304393/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe :
[Desktop-packages] [Bug 304393] Re: rpcbind grabs ports used by other daemons such as cupsd
note there is only one xenial reverse-dep autopkgtest failure, for nfs- utils on s390x, and that test has always failed and can be ignored. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/304393 Title: rpcbind grabs ports used by other daemons such as cupsd Status in cups package in Ubuntu: Invalid Status in rpcbind package in Ubuntu: Fix Released Status in rpcbind source package in Xenial: Fix Committed Status in rpcbind source package in Bionic: Fix Released Status in rpcbind package in Debian: Fix Released Status in Fedora: Confirmed Bug description: [impact] rpcbind binds to a 'random' reserved port at startup, which can conflict with the reserved port number for other applications that actually 'own' the reserved port number. One example is cups, which uses the reserved port 631. This prevents the actual 'owner' of the reserved port from starting, since it can't bind to its reserved port. Additionally, this can raise alarms from security monitoring software that does not expect programs to be listening on random reserved ports. [test case] start rpcbind and check which ports it is listening on, e.g.: $ sudo netstat --inet -p -l | grep rpcbind | grep -v sunrpc udp0 0 0.0.0.0:614 0.0.0.0:* 4678/rpcbind each time rpcbind is restarted, it will be listening to a different 'random' port. [regression potential] this adds a way to disable rpcbind from listening to the 'random' port. any regression would likely prevent rpcbind from starting, or may cause problems with the interaction between rpcinfo and rpcbind, as rpcinfo may use the random reserved port in some cases, as detailed in the Debian bug. [scope] This is needed only for Bionic and earlier. In Focal and later, and in Debian, rpcbind defaults to not opening the random reserved port. The admin can use the -r parameter to cause rpcbind to restore the old behavior of opening the random reserved port. [other info] Note that the -r parameter is a Debian addition, and the upstream rpcbind has disabled the random port functionality at build time; there is no runtime parameter to allow the admin to choose the behavior. Also, as discussed in the Debian bug, disabling this rpcbind 'feature' is known to cause problems for the rpcinfo program, which is why Debian introduced the -r parameter. So, when this -r parameter is backported to Bionic and earlier, we must retain the default behavior for those releases, which is for rpcbind to open the random reserved port. Thus, the patch for this will first backport the upstream patch that adds functionality to be able to disable the 'remote calls' function, and also backports the debian patch to change that from a compile-time to run-time option. Then, another patch is added, which changes the default back to the behavior of x/b, which is for remote calls to be enabled by default, and also adds a check for the existence of an environment variable "RPCBIND_RMTCALL_DEFAULT_DISABLED" which, if defined (to anything), will change the default to disabled. This allows 1) retaining the existing default behavior of rpcbind in x and b, while also 2) providing a mechanism to change that default for anyone who does *not* want remote calls to be enabled, and 3) allowing the mechanism to change the default to remain in place after an upgrade to Focal. Using the environment variable allows anyone to disable the remote calls in x and/or b, and then upgrade to Focal without breaking rpcbind or needing to remove the env var. After the upgrade to Focal, the environment variable (defined in /etc/default/rpcbind and/or /etc/rpcbind.conf) will simply be ignored without any change needed to the rpcbind package in Focal or later. [original description] Binary package hint: cups cups 1.3.9-2ubuntu4 From /var/log/cups/error_log: cups: unable to bind socket for address 127.0.0.1:631 - Address already in use. Nothing actually looks wrong. 127.0.0.1:631 is only in use by cupsd when started. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/304393/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 304393] Re: rpcbind grabs ports used by other daemons such as cupsd
ubuntu@lp304393-x:~$ dpkg -l|grep rpcbind ii rpcbind 0.2.3-0.2ubuntu0.1 amd64converts RPC program numbers into universal addresses ubuntu@lp304393-x:~$ sudo netstat --inet -p -l | grep rpcbind | grep -v sunrpc udp0 0 *:927 *:* 13471/rpcbind same default behavior after upgrade: ubuntu@lp304393-x:~$ dpkg -l|grep rpcbind ii rpcbind 0.2.3-0.2ubuntu0.16.04.1 amd64converts RPC program numbers into universal addresses ubuntu@lp304393-x:~$ sudo systemctl restart rpcbind ubuntu@lp304393-x:~$ sudo netstat --inet -p -l | grep rpcbind | grep -v sunrpc udp0 0 *:625 *:* 14441/rpcbind with parameter added, random port disabled: ubuntu@lp304393-x:~$ cat /etc/default/rpcbind RPCBIND_RMTCALL_DEFAULT_DISABLED=1 ubuntu@lp304393-x:~$ sudo systemctl restart rpcbind ubuntu@lp304393-x:~$ sudo netstat --inet -p -l | grep rpcbind | grep -v sunrpc ubuntu@lp304393-x:~$ with parameter commented, default behavior restored: ubuntu@lp304393-x:~$ cat /etc/default/rpcbind #RPCBIND_RMTCALL_DEFAULT_DISABLED=1 ubuntu@lp304393-x:~$ sudo systemctl restart rpcbind ubuntu@lp304393-x:~$ sudo netstat --inet -p -l | grep rpcbind | grep -v sunrpc udp0 0 *:660 *:* 14476/rpcbind ** Tags removed: verification-needed verification-needed-xenial ** Tags added: verification-done verification-done-xenial -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/304393 Title: rpcbind grabs ports used by other daemons such as cupsd Status in cups package in Ubuntu: Invalid Status in rpcbind package in Ubuntu: Fix Released Status in rpcbind source package in Xenial: Fix Committed Status in rpcbind source package in Bionic: Fix Released Status in rpcbind package in Debian: Fix Released Status in Fedora: Confirmed Bug description: [impact] rpcbind binds to a 'random' reserved port at startup, which can conflict with the reserved port number for other applications that actually 'own' the reserved port number. One example is cups, which uses the reserved port 631. This prevents the actual 'owner' of the reserved port from starting, since it can't bind to its reserved port. Additionally, this can raise alarms from security monitoring software that does not expect programs to be listening on random reserved ports. [test case] start rpcbind and check which ports it is listening on, e.g.: $ sudo netstat --inet -p -l | grep rpcbind | grep -v sunrpc udp0 0 0.0.0.0:614 0.0.0.0:* 4678/rpcbind each time rpcbind is restarted, it will be listening to a different 'random' port. [regression potential] this adds a way to disable rpcbind from listening to the 'random' port. any regression would likely prevent rpcbind from starting, or may cause problems with the interaction between rpcinfo and rpcbind, as rpcinfo may use the random reserved port in some cases, as detailed in the Debian bug. [scope] This is needed only for Bionic and earlier. In Focal and later, and in Debian, rpcbind defaults to not opening the random reserved port. The admin can use the -r parameter to cause rpcbind to restore the old behavior of opening the random reserved port. [other info] Note that the -r parameter is a Debian addition, and the upstream rpcbind has disabled the random port functionality at build time; there is no runtime parameter to allow the admin to choose the behavior. Also, as discussed in the Debian bug, disabling this rpcbind 'feature' is known to cause problems for the rpcinfo program, which is why Debian introduced the -r parameter. So, when this -r parameter is backported to Bionic and earlier, we must retain the default behavior for those releases, which is for rpcbind to open the random reserved port. Thus, the patch for this will first backport the upstream patch that adds functionality to be able to disable the 'remote calls' function, and also backports the debian patch to change that from a compile-time to run-time option. Then, another patch is added, which changes the default back to the behavior of x/b, which is for remote calls to be enabled by default, and also adds a check for the existence of an environment variable "RPCBIND_RMTCALL_DEFAULT_DISABLED" which, if defined (to anything), will change the default to disabled. This allows 1) retaining the existing default behavior of rpcbind in x and b, while also 2) providing a mechanism to change that default for anyone who does *not* want remote calls to be enabled, and 3) allowing the mechanism to change the default to
[Desktop-packages] [Bug 304393] Re: rpcbind grabs ports used by other daemons such as cupsd
Hello Alvin, or anyone else affected, Accepted rpcbind into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/rpcbind/0.2.3-0.2ubuntu0.16.04.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-xenial. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: rpcbind (Ubuntu Xenial) Status: In Progress => Fix Committed ** Tags removed: verification-done ** Tags added: verification-needed verification-needed-xenial -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/304393 Title: rpcbind grabs ports used by other daemons such as cupsd Status in cups package in Ubuntu: Invalid Status in rpcbind package in Ubuntu: Fix Released Status in rpcbind source package in Xenial: Fix Committed Status in rpcbind source package in Bionic: Fix Released Status in rpcbind package in Debian: Fix Released Status in Fedora: Confirmed Bug description: [impact] rpcbind binds to a 'random' reserved port at startup, which can conflict with the reserved port number for other applications that actually 'own' the reserved port number. One example is cups, which uses the reserved port 631. This prevents the actual 'owner' of the reserved port from starting, since it can't bind to its reserved port. Additionally, this can raise alarms from security monitoring software that does not expect programs to be listening on random reserved ports. [test case] start rpcbind and check which ports it is listening on, e.g.: $ sudo netstat --inet -p -l | grep rpcbind | grep -v sunrpc udp0 0 0.0.0.0:614 0.0.0.0:* 4678/rpcbind each time rpcbind is restarted, it will be listening to a different 'random' port. [regression potential] this adds a way to disable rpcbind from listening to the 'random' port. any regression would likely prevent rpcbind from starting, or may cause problems with the interaction between rpcinfo and rpcbind, as rpcinfo may use the random reserved port in some cases, as detailed in the Debian bug. [scope] This is needed only for Bionic and earlier. In Focal and later, and in Debian, rpcbind defaults to not opening the random reserved port. The admin can use the -r parameter to cause rpcbind to restore the old behavior of opening the random reserved port. [other info] Note that the -r parameter is a Debian addition, and the upstream rpcbind has disabled the random port functionality at build time; there is no runtime parameter to allow the admin to choose the behavior. Also, as discussed in the Debian bug, disabling this rpcbind 'feature' is known to cause problems for the rpcinfo program, which is why Debian introduced the -r parameter. So, when this -r parameter is backported to Bionic and earlier, we must retain the default behavior for those releases, which is for rpcbind to open the random reserved port. Thus, the patch for this will first backport the upstream patch that adds functionality to be able to disable the 'remote calls' function, and also backports the debian patch to change that from a compile-time to run-time option. Then, another patch is added, which changes the default back to the behavior of x/b, which is for remote calls to be enabled by default, and also adds a check for the existence of an environment variable "RPCBIND_RMTCALL_DEFAULT_DISABLED" which, if defined (to anything), will change the default to disabled. This allows 1) retaining the existing default behavior of rpcbind in x and b, while also 2) providing a mechanism to change that default for anyone who does *not* want remote calls to be enabled, and 3) allowing the mechanism to change the default to remain in place after an upgrade to Focal. Using the environment variable allows anyone to disable the remote calls in x and/or b, and then upgrade
[Desktop-packages] [Bug 304393] Re: rpcbind grabs ports used by other daemons such as cupsd
This bug was fixed in the package rpcbind - 0.2.3-0.6ubuntu0.18.04.1 --- rpcbind (0.2.3-0.6ubuntu0.18.04.1) bionic; urgency=medium * d/rules: force dh_autoreconf to fix FTBFS (LP: #1885389) * d/p/lp304393/0001-rpcbind-Disable-remote-calls-by-default.patch, d/p/lp304393/0002-rmt-calls.patch, d/p/lp304393/0003-change-rmtcalls-default-to-enabled.patch: - Allow disabling rmtcalls port binding (LP: #304393) -- Dan Streetman Tue, 04 Aug 2020 17:17:50 -0400 ** Changed in: rpcbind (Ubuntu Bionic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/304393 Title: rpcbind grabs ports used by other daemons such as cupsd Status in cups package in Ubuntu: Invalid Status in rpcbind package in Ubuntu: Fix Released Status in rpcbind source package in Xenial: In Progress Status in rpcbind source package in Bionic: Fix Released Status in rpcbind package in Debian: Fix Released Status in Fedora: Confirmed Bug description: [impact] rpcbind binds to a 'random' reserved port at startup, which can conflict with the reserved port number for other applications that actually 'own' the reserved port number. One example is cups, which uses the reserved port 631. This prevents the actual 'owner' of the reserved port from starting, since it can't bind to its reserved port. Additionally, this can raise alarms from security monitoring software that does not expect programs to be listening on random reserved ports. [test case] start rpcbind and check which ports it is listening on, e.g.: $ sudo netstat --inet -p -l | grep rpcbind | grep -v sunrpc udp0 0 0.0.0.0:614 0.0.0.0:* 4678/rpcbind each time rpcbind is restarted, it will be listening to a different 'random' port. [regression potential] this adds a way to disable rpcbind from listening to the 'random' port. any regression would likely prevent rpcbind from starting, or may cause problems with the interaction between rpcinfo and rpcbind, as rpcinfo may use the random reserved port in some cases, as detailed in the Debian bug. [scope] This is needed only for Bionic and earlier. In Focal and later, and in Debian, rpcbind defaults to not opening the random reserved port. The admin can use the -r parameter to cause rpcbind to restore the old behavior of opening the random reserved port. [other info] Note that the -r parameter is a Debian addition, and the upstream rpcbind has disabled the random port functionality at build time; there is no runtime parameter to allow the admin to choose the behavior. Also, as discussed in the Debian bug, disabling this rpcbind 'feature' is known to cause problems for the rpcinfo program, which is why Debian introduced the -r parameter. So, when this -r parameter is backported to Bionic and earlier, we must retain the default behavior for those releases, which is for rpcbind to open the random reserved port. Thus, the patch for this will first backport the upstream patch that adds functionality to be able to disable the 'remote calls' function, and also backports the debian patch to change that from a compile-time to run-time option. Then, another patch is added, which changes the default back to the behavior of x/b, which is for remote calls to be enabled by default, and also adds a check for the existence of an environment variable "RPCBIND_RMTCALL_DEFAULT_DISABLED" which, if defined (to anything), will change the default to disabled. This allows 1) retaining the existing default behavior of rpcbind in x and b, while also 2) providing a mechanism to change that default for anyone who does *not* want remote calls to be enabled, and 3) allowing the mechanism to change the default to remain in place after an upgrade to Focal. Using the environment variable allows anyone to disable the remote calls in x and/or b, and then upgrade to Focal without breaking rpcbind or needing to remove the env var. After the upgrade to Focal, the environment variable (defined in /etc/default/rpcbind and/or /etc/rpcbind.conf) will simply be ignored without any change needed to the rpcbind package in Focal or later. [original description] Binary package hint: cups cups 1.3.9-2ubuntu4 From /var/log/cups/error_log: cups: unable to bind socket for address 127.0.0.1:631 - Address already in use. Nothing actually looks wrong. 127.0.0.1:631 is only in use by cupsd when started. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/304393/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help :
[Desktop-packages] [Bug 304393] Re: rpcbind grabs ports used by other daemons such as cupsd
The Ubuntu Xenial SRU looks fine in principle but is currently blocked until the previous SRU is released. I've not reviewed this in detail yet. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/304393 Title: rpcbind grabs ports used by other daemons such as cupsd Status in cups package in Ubuntu: Invalid Status in rpcbind package in Ubuntu: Fix Released Status in rpcbind source package in Xenial: In Progress Status in rpcbind source package in Bionic: Fix Committed Status in rpcbind package in Debian: Fix Released Status in Fedora: Confirmed Bug description: [impact] rpcbind binds to a 'random' reserved port at startup, which can conflict with the reserved port number for other applications that actually 'own' the reserved port number. One example is cups, which uses the reserved port 631. This prevents the actual 'owner' of the reserved port from starting, since it can't bind to its reserved port. Additionally, this can raise alarms from security monitoring software that does not expect programs to be listening on random reserved ports. [test case] start rpcbind and check which ports it is listening on, e.g.: $ sudo netstat --inet -p -l | grep rpcbind | grep -v sunrpc udp0 0 0.0.0.0:614 0.0.0.0:* 4678/rpcbind each time rpcbind is restarted, it will be listening to a different 'random' port. [regression potential] this adds a way to disable rpcbind from listening to the 'random' port. any regression would likely prevent rpcbind from starting, or may cause problems with the interaction between rpcinfo and rpcbind, as rpcinfo may use the random reserved port in some cases, as detailed in the Debian bug. [scope] This is needed only for Bionic and earlier. In Focal and later, and in Debian, rpcbind defaults to not opening the random reserved port. The admin can use the -r parameter to cause rpcbind to restore the old behavior of opening the random reserved port. [other info] Note that the -r parameter is a Debian addition, and the upstream rpcbind has disabled the random port functionality at build time; there is no runtime parameter to allow the admin to choose the behavior. Also, as discussed in the Debian bug, disabling this rpcbind 'feature' is known to cause problems for the rpcinfo program, which is why Debian introduced the -r parameter. So, when this -r parameter is backported to Bionic and earlier, we must retain the default behavior for those releases, which is for rpcbind to open the random reserved port. Thus, the patch for this will first backport the upstream patch that adds functionality to be able to disable the 'remote calls' function, and also backports the debian patch to change that from a compile-time to run-time option. Then, another patch is added, which changes the default back to the behavior of x/b, which is for remote calls to be enabled by default, and also adds a check for the existence of an environment variable "RPCBIND_RMTCALL_DEFAULT_DISABLED" which, if defined (to anything), will change the default to disabled. This allows 1) retaining the existing default behavior of rpcbind in x and b, while also 2) providing a mechanism to change that default for anyone who does *not* want remote calls to be enabled, and 3) allowing the mechanism to change the default to remain in place after an upgrade to Focal. Using the environment variable allows anyone to disable the remote calls in x and/or b, and then upgrade to Focal without breaking rpcbind or needing to remove the env var. After the upgrade to Focal, the environment variable (defined in /etc/default/rpcbind and/or /etc/rpcbind.conf) will simply be ignored without any change needed to the rpcbind package in Focal or later. [original description] Binary package hint: cups cups 1.3.9-2ubuntu4 From /var/log/cups/error_log: cups: unable to bind socket for address 127.0.0.1:631 - Address already in use. Nothing actually looks wrong. 127.0.0.1:631 is only in use by cupsd when started. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/304393/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 304393] Re: rpcbind grabs ports used by other daemons such as cupsd
bionic verification: ubuntu@lp304393-b:~$ dpkg -l|grep rpcbind ii rpcbind 0.2.3-0.6 amd64 converts RPC program numbers into universal addresses ubuntu@lp304393-b:~$ sudo netstat --inet -p -l | grep rpcbind | grep -v sunrpc udp0 0 0.0.0.0:788 0.0.0.0:* 13332/rpcbind after upgrade, same default behavior: ubuntu@lp304393-b:~$ dpkg -l|grep rpcbind ii rpcbind 0.2.3-0.6ubuntu0.18.04.1amd64 converts RPC program numbers into universal addresses ubuntu@lp304393-b:~$ sudo systemctl restart rpcbind ubuntu@lp304393-b:~$ sudo netstat --inet -p -l | grep rpcbind | grep -v sunrpc udp0 0 0.0.0.0:707 0.0.0.0:* 14099/rpcbind with parameter set, random port is disabled: ubuntu@lp304393-b:~$ cat /etc/default/rpcbind RPCBIND_RMTCALL_DEFAULT_DISABLED=1 ubuntu@lp304393-b:~$ sudo systemctl restart rpcbind ubuntu@lp304393-b:~$ sudo netstat --inet -p -l | grep rpcbind | grep -v sunrpc ubuntu@lp304393-b:~$ with param commented, default behavior restored: ubuntu@lp304393-b:~$ cat /etc/default/rpcbind #RPCBIND_RMTCALL_DEFAULT_DISABLED=1 ubuntu@lp304393-b:~$ sudo systemctl restart rpcbind ubuntu@lp304393-b:~$ sudo netstat --inet -p -l | grep rpcbind | grep -v sunrpc udp0 0 0.0.0.0:877 0.0.0.0:* 14269/rpcbind ** Tags removed: verification-needed verification-needed-bionic ** Tags added: verification-done verification-done-bionic -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/304393 Title: rpcbind grabs ports used by other daemons such as cupsd Status in cups package in Ubuntu: Invalid Status in rpcbind package in Ubuntu: Fix Released Status in rpcbind source package in Xenial: In Progress Status in rpcbind source package in Bionic: Fix Committed Status in rpcbind package in Debian: Fix Released Status in Fedora: Confirmed Bug description: [impact] rpcbind binds to a 'random' reserved port at startup, which can conflict with the reserved port number for other applications that actually 'own' the reserved port number. One example is cups, which uses the reserved port 631. This prevents the actual 'owner' of the reserved port from starting, since it can't bind to its reserved port. Additionally, this can raise alarms from security monitoring software that does not expect programs to be listening on random reserved ports. [test case] start rpcbind and check which ports it is listening on, e.g.: $ sudo netstat --inet -p -l | grep rpcbind | grep -v sunrpc udp0 0 0.0.0.0:614 0.0.0.0:* 4678/rpcbind each time rpcbind is restarted, it will be listening to a different 'random' port. [regression potential] this adds a way to disable rpcbind from listening to the 'random' port. any regression would likely prevent rpcbind from starting, or may cause problems with the interaction between rpcinfo and rpcbind, as rpcinfo may use the random reserved port in some cases, as detailed in the Debian bug. [scope] This is needed only for Bionic and earlier. In Focal and later, and in Debian, rpcbind defaults to not opening the random reserved port. The admin can use the -r parameter to cause rpcbind to restore the old behavior of opening the random reserved port. [other info] Note that the -r parameter is a Debian addition, and the upstream rpcbind has disabled the random port functionality at build time; there is no runtime parameter to allow the admin to choose the behavior. Also, as discussed in the Debian bug, disabling this rpcbind 'feature' is known to cause problems for the rpcinfo program, which is why Debian introduced the -r parameter. So, when this -r parameter is backported to Bionic and earlier, we must retain the default behavior for those releases, which is for rpcbind to open the random reserved port. Thus, the patch for this will first backport the upstream patch that adds functionality to be able to disable the 'remote calls' function, and also backports the debian patch to change that from a compile-time to run-time option. Then, another patch is added, which changes the default back to the behavior of x/b, which is for remote calls to be enabled by default, and also adds a check for the existence of an environment variable "RPCBIND_RMTCALL_DEFAULT_DISABLED" which, if defined (to anything), will change the default to disabled. This allows 1) retaining the existing default behavior of rpcbind in x and b, while also 2) providing a mechanism to change that default for anyone who does *not* want remote calls to be enabled, and 3) allowing the mechanism to change
[Desktop-packages] [Bug 304393] Re: rpcbind grabs ports used by other daemons such as cupsd
Hello Alvin, or anyone else affected, Accepted rpcbind into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/rpcbind/0.2.3-0.6ubuntu0.18.04.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-bionic. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: rpcbind (Ubuntu Bionic) Status: In Progress => Fix Committed ** Tags added: verification-needed verification-needed-bionic -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/304393 Title: rpcbind grabs ports used by other daemons such as cupsd Status in cups package in Ubuntu: Invalid Status in rpcbind package in Ubuntu: Fix Released Status in rpcbind source package in Xenial: In Progress Status in rpcbind source package in Bionic: Fix Committed Status in rpcbind package in Debian: Fix Released Status in Fedora: Confirmed Bug description: [impact] rpcbind binds to a 'random' reserved port at startup, which can conflict with the reserved port number for other applications that actually 'own' the reserved port number. One example is cups, which uses the reserved port 631. This prevents the actual 'owner' of the reserved port from starting, since it can't bind to its reserved port. Additionally, this can raise alarms from security monitoring software that does not expect programs to be listening on random reserved ports. [test case] start rpcbind and check which ports it is listening on, e.g.: $ sudo netstat --inet -p -l | grep rpcbind | grep -v sunrpc udp0 0 0.0.0.0:614 0.0.0.0:* 4678/rpcbind each time rpcbind is restarted, it will be listening to a different 'random' port. [regression potential] this adds a way to disable rpcbind from listening to the 'random' port. any regression would likely prevent rpcbind from starting, or may cause problems with the interaction between rpcinfo and rpcbind, as rpcinfo may use the random reserved port in some cases, as detailed in the Debian bug. [scope] This is needed only for Bionic and earlier. In Focal and later, and in Debian, rpcbind defaults to not opening the random reserved port. The admin can use the -r parameter to cause rpcbind to restore the old behavior of opening the random reserved port. [other info] Note that the -r parameter is a Debian addition, and the upstream rpcbind has disabled the random port functionality at build time; there is no runtime parameter to allow the admin to choose the behavior. Also, as discussed in the Debian bug, disabling this rpcbind 'feature' is known to cause problems for the rpcinfo program, which is why Debian introduced the -r parameter. So, when this -r parameter is backported to Bionic and earlier, we must retain the default behavior for those releases, which is for rpcbind to open the random reserved port. Thus, the patch for this will first backport the upstream patch that adds functionality to be able to disable the 'remote calls' function, and also backports the debian patch to change that from a compile-time to run-time option. Then, another patch is added, which changes the default back to the behavior of x/b, which is for remote calls to be enabled by default, and also adds a check for the existence of an environment variable "RPCBIND_RMTCALL_DEFAULT_DISABLED" which, if defined (to anything), will change the default to disabled. This allows 1) retaining the existing default behavior of rpcbind in x and b, while also 2) providing a mechanism to change that default for anyone who does *not* want remote calls to be enabled, and 3) allowing the mechanism to change the default to remain in place after an upgrade to Focal. Using the environment variable allows anyone to disable the remote calls in x and/or b, and then upgrade to Focal without breaking rpcbind
[Desktop-packages] [Bug 304393] Re: rpcbind grabs ports used by other daemons such as cupsd
** Description changed: [impact] rpcbind binds to a 'random' reserved port at startup, which can conflict with the reserved port number for other applications that actually 'own' the reserved port number. One example is cups, which uses the reserved port 631. This prevents the actual 'owner' of the reserved port from starting, since it can't bind to its reserved port. Additionally, this can raise alarms from security monitoring software that does not expect programs to be listening on random reserved ports. [test case] start rpcbind and check which ports it is listening on, e.g.: $ sudo netstat --inet -p -l | grep rpcbind | grep -v sunrpc udp0 0 0.0.0.0:614 0.0.0.0:* 4678/rpcbind each time rpcbind is restarted, it will be listening to a different 'random' port. [regression potential] this adds a way to disable rpcbind from listening to the 'random' port. any regression would likely prevent rpcbind from starting, or may cause problems with the interaction between rpcinfo and rpcbind, as rpcinfo may use the random reserved port in some cases, as detailed in the Debian bug. [scope] This is needed only for Bionic and earlier. In Focal and later, and in Debian, rpcbind defaults to not opening the random reserved port. The admin can use the -r parameter to cause rpcbind to restore the old behavior of opening the random reserved port. [other info] Note that the -r parameter is a Debian addition, and the upstream rpcbind has disabled the random port functionality at build time; there is no runtime parameter to allow the admin to choose the behavior. Also, as discussed in the Debian bug, disabling this rpcbind 'feature' is known to cause problems for the rpcinfo program, which is why Debian introduced the -r parameter. So, when this -r parameter is backported to Bionic and earlier, we must retain the default behavior for those releases, which is for rpcbind to open the random reserved port. Thus, the patch for this will first backport the upstream patch that adds functionality to be able to disable the 'remote calls' function, and also backports the debian patch to change that from a compile-time to run-time option. Then, another patch is added, which changes the default back to the behavior of x/b, which is for remote calls to be enabled by default, - and also adds a check for the existence of an environment variable "RPCBIND_RMTCALLS_DEFAULT_DISABLED" which, if defined (to anything), will change the default to disabled. + and also adds a check for the existence of an environment variable "RPCBIND_RMTCALL_DEFAULT_DISABLED" which, if defined (to anything), will change the default to disabled. This allows 1) retaining the existing default behavior of rpcbind in x and b, while also 2) providing a mechanism to change that default for anyone who does *not* want remote calls to be enabled, and 3) allowing the mechanism to change the default to remain in place after an upgrade to Focal. Using the environment variable, instead of changing or adding the cmdline parameter, allows anyone using the variable to disable the remote calls default to upgrade to Focal without breaking rpcbind. After the upgrade to Focal, the environment variable (defined in /etc/default/rpcbind and/or /etc/rpcbind.conf) will simply be ignored without any change needed to the rpcbind package in Focal or later. [original description] As this backports that functionality, it Binary package hint: cups cups 1.3.9-2ubuntu4 From /var/log/cups/error_log: cups: unable to bind socket for address 127.0.0.1:631 - Address already in use. Nothing actually looks wrong. 127.0.0.1:631 is only in use by cupsd when started. ** Description changed: [impact] rpcbind binds to a 'random' reserved port at startup, which can conflict with the reserved port number for other applications that actually 'own' the reserved port number. One example is cups, which uses the reserved port 631. This prevents the actual 'owner' of the reserved port from starting, since it can't bind to its reserved port. Additionally, this can raise alarms from security monitoring software that does not expect programs to be listening on random reserved ports. [test case] start rpcbind and check which ports it is listening on, e.g.: $ sudo netstat --inet -p -l | grep rpcbind | grep -v sunrpc udp0 0 0.0.0.0:614 0.0.0.0:* 4678/rpcbind each time rpcbind is restarted, it will be listening to a different 'random' port. [regression potential] this adds a way to disable rpcbind from listening to the 'random' port. any regression would likely prevent rpcbind from starting, or may cause problems with the interaction between rpcinfo and rpcbind, as rpcinfo
[Desktop-packages] [Bug 304393] Re: rpcbind grabs ports used by other daemons such as cupsd
** Tags added: sts -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/304393 Title: rpcbind grabs ports used by other daemons such as cupsd Status in cups package in Ubuntu: Invalid Status in rpcbind package in Ubuntu: Fix Released Status in rpcbind source package in Xenial: In Progress Status in rpcbind source package in Bionic: In Progress Status in rpcbind package in Debian: Fix Released Status in Fedora: Confirmed Bug description: [impact] rpcbind binds to a 'random' reserved port at startup, which can conflict with the reserved port number for other applications that actually 'own' the reserved port number. One example is cups, which uses the reserved port 631. This prevents the actual 'owner' of the reserved port from starting, since it can't bind to its reserved port. Additionally, this can raise alarms from security monitoring software that does not expect programs to be listening on random reserved ports. [test case] start rpcbind and check which ports it is listening on, e.g.: $ sudo netstat --inet -p -l | grep rpcbind | grep -v sunrpc udp0 0 0.0.0.0:614 0.0.0.0:* 4678/rpcbind each time rpcbind is restarted, it will be listening to a different 'random' port. [regression potential] this adds a way to disable rpcbind from listening to the 'random' port. any regression would likely prevent rpcbind from starting, or may cause problems with the interaction between rpcinfo and rpcbind, as rpcinfo may use the random reserved port in some cases, as detailed in the Debian bug. [scope] This is needed only for Bionic and earlier. In Focal and later, and in Debian, rpcbind defaults to not opening the random reserved port. The admin can use the -r parameter to cause rpcbind to restore the old behavior of opening the random reserved port. [other info] Note that the -r parameter is a Debian addition, and the upstream rpcbind has disabled the random port functionality at build time; there is no runtime parameter to allow the admin to choose the behavior. Also, as discussed in the Debian bug, disabling this rpcbind 'feature' is known to cause problems for the rpcinfo program, which is why Debian introduced the -r parameter. So, when this -r parameter is backported to Bionic and earlier, we must retain the default behavior for those releases, which is for rpcbind to open the random reserved port. Thus, the patch for this will first backport the upstream patch that adds functionality to be able to disable the 'remote calls' function, and also backports the debian patch to change that from a compile-time to run-time option. Then, another patch is added, which changes the default back to the behavior of x/b, which is for remote calls to be enabled by default, and also adds a check for the existence of an environment variable "RPCBIND_RMTCALLS_DEFAULT_DISABLED" which, if defined (to anything), will change the default to disabled. This allows 1) retaining the existing default behavior of rpcbind in x and b, while also 2) providing a mechanism to change that default for anyone who does *not* want remote calls to be enabled, and 3) allowing the mechanism to change the default to remain in place after an upgrade to Focal. Using the environment variable, instead of changing or adding the cmdline parameter, allows anyone using the variable to disable the remote calls default to upgrade to Focal without breaking rpcbind. After the upgrade to Focal, the environment variable (defined in /etc/default/rpcbind and/or /etc/rpcbind.conf) will simply be ignored without any change needed to the rpcbind package in Focal or later. [original description] As this backports that functionality, it Binary package hint: cups cups 1.3.9-2ubuntu4 From /var/log/cups/error_log: cups: unable to bind socket for address 127.0.0.1:631 - Address already in use. Nothing actually looks wrong. 127.0.0.1:631 is only in use by cupsd when started. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/304393/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 304393] Re: rpcbind grabs ports used by other daemons such as cupsd
** Description changed: [impact] rpcbind binds to a 'random' reserved port at startup, which can conflict with the reserved port number for other applications that actually 'own' the reserved port number. One example is cups, which uses the reserved port 631. This prevents the actual 'owner' of the reserved port from starting, since it can't bind to its reserved port. Additionally, this can raise alarms from security monitoring software that does not expect programs to be listening on random reserved ports. [test case] start rpcbind and check which ports it is listening on, e.g.: $ sudo netstat --inet -p -l | grep rpcbind | grep -v sunrpc - udp0 0 0.0.0.0:614 0.0.0.0:* 4678/rpcbind + udp0 0 0.0.0.0:614 0.0.0.0:* 4678/rpcbind each time rpcbind is restarted, it will be listening to a different 'random' port. [regression potential] - this adds a method to disable rpcbind from listening to the 'random' - port. any regression would likely prevent rpcbind from starting, or may - cause problems with the interaction between rpcinfo and rpcbind, as - rpcinfo may use the random reserved port in some cases, as detailed in - the Debian bug. + this adds a way to disable rpcbind from listening to the 'random' port. + any regression would likely prevent rpcbind from starting, or may cause + problems with the interaction between rpcinfo and rpcbind, as rpcinfo + may use the random reserved port in some cases, as detailed in the + Debian bug. [scope] This is needed only for Bionic and earlier. In Focal and later, and in Debian, rpcbind defaults to not opening the random reserved port. The admin can use the -r parameter to cause rpcbind to restore the old behavior of opening the random reserved port. [other info] Note that the -r parameter is a Debian addition, and the upstream rpcbind has disabled the random port functionality at build time; there is no runtime parameter to allow the admin to choose the behavior. Also, as discussed in the Debian bug, disabling this rpcbind 'feature' is known to cause problems for the rpcinfo program, which is why Debian introduced the -r parameter. So, when this -r parameter is backported to Bionic and earlier, we must retain the default behavior for those releases, which is for rpcbind to open the random reserved port. - TBD: specific method to disable rmtcalls in backport + Thus, the patch for this will first backport the upstream patch that adds functionality to be able to disable the 'remote calls' function, and also backports the debian patch to change that from a compile-time to run-time option. Then, another patch is added, which changes the default back to the behavior of x/b, which is for remote calls to be enabled by default, + and also adds a check for the existence of an environment variable "RPCBIND_RMTCALLS_DEFAULT_DISABLED" which, if defined (to anything), will change the default to disabled. + This allows 1) retaining the existing default behavior of rpcbind in x + and b, while also 2) providing a mechanism to change that default for + anyone who does *not* want remote calls to be enabled, and 3) allowing + the mechanism to change the default to remain in place after an upgrade + to Focal. Using the environment variable, instead of changing or adding + the cmdline parameter, allows anyone using the variable to disable the + remote calls default to upgrade to Focal without breaking rpcbind. After + the upgrade to Focal, the environment variable (defined in + /etc/default/rpcbind and/or /etc/rpcbind.conf) will simply be ignored + without any change needed to the rpcbind package in Focal or later. [original description] As this backports that functionality, it Binary package hint: cups cups 1.3.9-2ubuntu4 From /var/log/cups/error_log: cups: unable to bind socket for address 127.0.0.1:631 - Address already in use. Nothing actually looks wrong. 127.0.0.1:631 is only in use by cupsd when started. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/304393 Title: rpcbind grabs ports used by other daemons such as cupsd Status in cups package in Ubuntu: Invalid Status in rpcbind package in Ubuntu: Fix Released Status in rpcbind source package in Xenial: In Progress Status in rpcbind source package in Bionic: In Progress Status in rpcbind package in Debian: Fix Released Status in Fedora: Confirmed Bug description: [impact] rpcbind binds to a 'random' reserved port at startup, which can conflict with the reserved port number for other applications that actually 'own' the reserved port number. One example is cups, which uses the reserved port 631. This prevents the actual 'owner' of the reserved
[Desktop-packages] [Bug 304393] Re: rpcbind grabs ports used by other daemons such as cupsd
** Changed in: rpcbind (Debian) Status: Unknown => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/304393 Title: rpcbind grabs ports used by other daemons such as cupsd Status in cups package in Ubuntu: Invalid Status in rpcbind package in Ubuntu: Fix Released Status in rpcbind source package in Xenial: In Progress Status in rpcbind source package in Bionic: In Progress Status in rpcbind package in Debian: Fix Released Status in Fedora: Confirmed Bug description: [impact] rpcbind binds to a 'random' reserved port at startup, which can conflict with the reserved port number for other applications that actually 'own' the reserved port number. One example is cups, which uses the reserved port 631. This prevents the actual 'owner' of the reserved port from starting, since it can't bind to its reserved port. Additionally, this can raise alarms from security monitoring software that does not expect programs to be listening on random reserved ports. [test case] start rpcbind and check which ports it is listening on, e.g.: $ sudo netstat --inet -p -l | grep rpcbind | grep -v sunrpc udp0 0 0.0.0.0:614 0.0.0.0:* 4678/rpcbind each time rpcbind is restarted, it will be listening to a different 'random' port. [regression potential] this adds a method to disable rpcbind from listening to the 'random' port. any regression would likely prevent rpcbind from starting, or may cause problems with the interaction between rpcinfo and rpcbind, as rpcinfo may use the random reserved port in some cases, as detailed in the Debian bug. [scope] This is needed only for Bionic and earlier. In Focal and later, and in Debian, rpcbind defaults to not opening the random reserved port. The admin can use the -r parameter to cause rpcbind to restore the old behavior of opening the random reserved port. [other info] Note that the -r parameter is a Debian addition, and the upstream rpcbind has disabled the random port functionality at build time; there is no runtime parameter to allow the admin to choose the behavior. Also, as discussed in the Debian bug, disabling this rpcbind 'feature' is known to cause problems for the rpcinfo program, which is why Debian introduced the -r parameter. So, when this -r parameter is backported to Bionic and earlier, we must retain the default behavior for those releases, which is for rpcbind to open the random reserved port. TBD: specific method to disable rmtcalls in backport [original description] As this backports that functionality, it Binary package hint: cups cups 1.3.9-2ubuntu4 From /var/log/cups/error_log: cups: unable to bind socket for address 127.0.0.1:631 - Address already in use. Nothing actually looks wrong. 127.0.0.1:631 is only in use by cupsd when started. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/304393/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 304393] Re: rpcbind grabs ports used by other daemons such as cupsd
** Description changed: + [impact] + + rpcbind binds to a 'random' reserved port at startup, which can conflict + with the reserved port number for other applications that actually 'own' + the reserved port number. One example is cups, which uses the reserved + port 631. + + This prevents the actual 'owner' of the reserved port from starting, + since it can't bind to its reserved port. + + Additionally, this can raise alarms from security monitoring software + that does not expect programs to be listening on random reserved ports. + + [test case] + + start rpcbind and check which ports it is listening on, e.g.: + + $ sudo netstat --inet -p -l | grep rpcbind | grep -v sunrpc + udp0 0 0.0.0.0:614 0.0.0.0:* 4678/rpcbind + + each time rpcbind is restarted, it will be listening to a different + 'random' port. + + [regression potential] + + this adds a method to disable rpcbind from listening to the 'random' + port. any regression would likely prevent rpcbind from starting, or may + cause problems with the interaction between rpcinfo and rpcbind, as + rpcinfo may use the random reserved port in some cases, as detailed in + the Debian bug. + + [scope] + + This is needed only for Bionic and earlier. + + In Focal and later, and in Debian, rpcbind defaults to not opening the + random reserved port. The admin can use the -r parameter to cause + rpcbind to restore the old behavior of opening the random reserved port. + + [other info] + + Note that the -r parameter is a Debian addition, and the upstream + rpcbind has disabled the random port functionality at build time; there + is no runtime parameter to allow the admin to choose the behavior. + + Also, as discussed in the Debian bug, disabling this rpcbind 'feature' + is known to cause problems for the rpcinfo program, which is why Debian + introduced the -r parameter. So, when this -r parameter is backported to + Bionic and earlier, we must retain the default behavior for those + releases, which is for rpcbind to open the random reserved port. + + TBD: specific method to disable rmtcalls in backport + + + [original description] + + As this backports that functionality, it + Binary package hint: cups cups 1.3.9-2ubuntu4 From /var/log/cups/error_log: cups: unable to bind socket for address 127.0.0.1:631 - Address already in use. Nothing actually looks wrong. 127.0.0.1:631 is only in use by cupsd when started. ** Changed in: rpcbind (Ubuntu Bionic) Assignee: (unassigned) => Dan Streetman (ddstreet) ** Changed in: rpcbind (Ubuntu Xenial) Assignee: (unassigned) => Dan Streetman (ddstreet) ** Changed in: rpcbind (Ubuntu Bionic) Importance: Undecided => Medium ** Changed in: rpcbind (Ubuntu Xenial) Importance: Undecided => Medium ** Changed in: rpcbind (Ubuntu Bionic) Status: New => In Progress ** Changed in: rpcbind (Ubuntu Xenial) Status: New => In Progress ** Changed in: rpcbind (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/304393 Title: rpcbind grabs ports used by other daemons such as cupsd Status in cups package in Ubuntu: Invalid Status in rpcbind package in Ubuntu: Fix Released Status in rpcbind source package in Xenial: In Progress Status in rpcbind source package in Bionic: In Progress Status in rpcbind package in Debian: Unknown Status in Fedora: Confirmed Bug description: [impact] rpcbind binds to a 'random' reserved port at startup, which can conflict with the reserved port number for other applications that actually 'own' the reserved port number. One example is cups, which uses the reserved port 631. This prevents the actual 'owner' of the reserved port from starting, since it can't bind to its reserved port. Additionally, this can raise alarms from security monitoring software that does not expect programs to be listening on random reserved ports. [test case] start rpcbind and check which ports it is listening on, e.g.: $ sudo netstat --inet -p -l | grep rpcbind | grep -v sunrpc udp0 0 0.0.0.0:614 0.0.0.0:* 4678/rpcbind each time rpcbind is restarted, it will be listening to a different 'random' port. [regression potential] this adds a method to disable rpcbind from listening to the 'random' port. any regression would likely prevent rpcbind from starting, or may cause problems with the interaction between rpcinfo and rpcbind, as rpcinfo may use the random reserved port in some cases, as detailed in the Debian bug. [scope] This is needed only for Bionic and earlier. In Focal and later, and in Debian, rpcbind defaults to not opening the random reserved port. The admin can use the -r parameter to cause rpcbind to restore the old
[Desktop-packages] [Bug 304393] Re: rpcbind grabs ports used by other daemons such as cupsd
** Also affects: cups (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: rpcbind (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: cups (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: rpcbind (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: cups (Ubuntu) Status: Confirmed => Invalid ** No longer affects: cups (Ubuntu Xenial) ** No longer affects: cups (Ubuntu Bionic) ** Bug watch added: Debian Bug tracker #939890 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939890 ** Also affects: rpcbind (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939890 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/304393 Title: rpcbind grabs ports used by other daemons such as cupsd Status in cups package in Ubuntu: Invalid Status in rpcbind package in Ubuntu: New Status in rpcbind source package in Xenial: New Status in rpcbind source package in Bionic: New Status in rpcbind package in Debian: Unknown Status in Fedora: Confirmed Bug description: Binary package hint: cups cups 1.3.9-2ubuntu4 From /var/log/cups/error_log: cups: unable to bind socket for address 127.0.0.1:631 - Address already in use. Nothing actually looks wrong. 127.0.0.1:631 is only in use by cupsd when started. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/304393/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 304393] Re: rpcbind grabs ports used by other daemons such as cupsd
Launchpad has imported 77 comments from the remote bug at https://bugzilla.redhat.com/show_bug.cgi?id=103401. If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. On 2003-08-29T20:13:45+00:00 sbonnevi wrote: Description of problem: On boot, ypbind occasionally grabs port 631/udp, blocking CUPS from binding to the port. This is a glibc problem because ypbind is a RPC service that has its port assigned dynamically through bindresvport(). The code in libc/sunrpc/bindrsvprt.c shows the port number is assigned purely based on the PID of the ypbind process, something like port = (PID % 424) + 600 The PID seems to vary slightly from reboot to reboot, but generally is in the 870s on the machine in question, resulting in ports assigned in the vicinity of 630. CUPS (actually, IPP) has ports 631/tcp and 631/udp reserved. NIS starts first, so it wins, and since CUPS has a reserved Well Known Port, it can't relocate and loses. Version-Release number of selected component (if applicable): glibc-2.3.2-27.9 How reproducible: Depends entirely on the PID handed to ypbind on boot, and the exact set of services configured affects this. Suggested Fix: The glibc algorithm already blacklists all reserved ports below 600, presumably to avoid this exact problem. Consider altering the code to blacklist 5 to 8 additional ports in the 600-1023 range that are or may be in common use: 631 (IPP == CUPS) 636 (LDAPS) 749 (Kerberos V kadmin) 873 (rsyncd) 992-995 (SSL-enabled telnet, IMAP, IRC, and POP3) The ports lost could be recovered, if desired, by allowing ports in the 590-600 range to be assigned by bindrsvprt(). Reply at: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/304393/comments/0 On 2003-09-01T21:43:29+00:00 jakub wrote: According to Ulrich Drepper, daemons requiring specific ports in the 600-1023 range need to be started before any daemons using bindresvport. Reply at: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/304393/comments/1 On 2003-09-02T16:29:53+00:00 twaugh wrote: I think that portmap ought to be tought how to avoid a list of ports. Otherwise, once I've stopped cupsd (for whatever reason) and restarted ypbind, I can no longer be sure that cupsd will ever start again. Reply at: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/304393/comments/2 On 2003-09-02T21:06:25+00:00 twaugh wrote: (see above comment) Reply at: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/304393/comments/3 On 2003-09-03T06:04:59+00:00 sbonnevi wrote: If you accept Ulrich's argument that this is a service bug, then this is NOT just a CUPS bug. It's also a bug against xinetd-2.3.12-0.3E, openldap-2.0.27-9, and krb5-server-1.2.7-15. ALL of the services in the distribution that I know about that use Well Known Ports in the 600-1023 range start up AFTER ypbind, not before! Reply at: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/304393/comments/4 On 2003-09-03T15:04:29+00:00 twaugh wrote: This problem should be solved in portmap. Here is a proof-of-concept, which I think should be merged into portmap: http://cyberelk.net/tim/portreserve. In summary: portmap should read a directory of configuration files, one per daemon, each containing the name of the service that is out of bounds. (I know that bindresvport is the culprit, but what other users of that are there really?) Reply at: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/304393/comments/5 On 2003-11-15T00:51:46+00:00 sbonnevi wrote: I'm moving this to RHEL 3 because we're still seeing this in operation on servers with that version installed. I don't know what else uses bindresvport, if anything, I just know that if you have ypserv and CUPS running, there's a pretty decent chance of a collision on boot which breaks CUPS. Reply at: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/304393/comments/6 On 2003-12-24T10:32:08+00:00 jorton wrote: spamassassin's spamd is another possible collision (though not in RHEL), it uses port 783 by default. Reply at: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/304393/comments/7 On 2004-01-07T04:50:06+00:00 aleksey wrote: *** Bug
[Desktop-packages] [Bug 304393] Re: rpcbind grabs ports used by other daemons such as cupsd
** Changed in: fedora Status: Unknown => Confirmed ** Changed in: fedora Importance: Unknown => Critical -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/304393 Title: rpcbind grabs ports used by other daemons such as cupsd Status in cups package in Ubuntu: Confirmed Status in rpcbind package in Ubuntu: New Status in Fedora: Confirmed Bug description: Binary package hint: cups cups 1.3.9-2ubuntu4 From /var/log/cups/error_log: cups: unable to bind socket for address 127.0.0.1:631 - Address already in use. Nothing actually looks wrong. 127.0.0.1:631 is only in use by cupsd when started. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/304393/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
