On 09/05/2014 11:24 PM, Burton, Ross wrote:
On 12 August 2014 09:44, Li.Wang <li.w...@windriver.com> wrote:
Opening random ports in privileged port range, among them one port that
identifies itself as pop3s, is not a good practice. Both Ericsson and
our
customers run regular vulnerability assessment tools against our
product,
and this will clearly be seen as a potential problem. Furthermore, we
will
not be able to filter the ports, since they are random, and neither will
we
be able to provide decent answers to our customers. To summarize: this
should be taken care of, ie fix rpcbind so that it uses a non random
port
and/or to bind to a specific interface.
This has been bothering me so I just did some digging. rpcbind
opening random ports is rather "misguided" but it appears that passing
-s to rpcbind will cause it to drop it's privs and setuid down to
"daemon", with the side-effect that it can't open the privileged ports
anymore.
(source: http://wiki.metawerx.net/wiki/setrpcrandomport)
this way uses dynamic library, and I use command option which insert
code to rpcbind.
I think our thought are same, but the complements are different.
indeed, rpcbind has two random ports:
one can be fixed by configure file.
the patch is to point at the other one.
Thanks,
LiWang.
Ross
--
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
