diff mbox series

[2/4] rpcbind: allow broadcast RPC to be disabled.

Message ID 20240225235628.12473-3-neilb@suse.de (mailing list archive)
State New
Headers show
Series Supprt abstract addresses and disable broadcast | expand

Commit Message

NeilBrown Feb. 25, 2024, 11:53 p.m. UTC 
From: NeilBrown <neilb@suse.com>

Support for broadcast RPC involves binding a second privileged
port.  It is possible that rpcbind might choose a port that some
other service will need, and that can cause problems.

Having this port open increases the attack surface of rpcbind.  RPC
replies can be sent to it by any host, and they will only be rejected
once they have been parsed enough to determine that the xid doesn't
match.

Boardcast is not widely used.  It is not used at all for NFS.  For NIS
(previously yellow pages) it can be used to find a local NIS server,
though this can also be statically configured.

In cases where broadcast-RPC is not needed, it is best to disable the
port.  This patch adds a new "-b" option to disable broadcast RPC.

Signed-off-by: NeilBrown <neilb@suse.com>
---
 man/rpcbind.8 |  5 +++++
 src/rpcbind.c | 10 +++++++---
 2 files changed, 12 insertions(+), 3 deletions(-)

Comments

Petr Vorel March 4, 2024, 6:32 p.m. UTC | #1 
Hi Neil,

> From: NeilBrown <neilb@suse.com>

> Support for broadcast RPC involves binding a second privileged
> port.  It is possible that rpcbind might choose a port that some
> other service will need, and that can cause problems.

> Having this port open increases the attack surface of rpcbind.  RPC
> replies can be sent to it by any host, and they will only be rejected
> once they have been parsed enough to determine that the xid doesn't
> match.

> Boardcast is not widely used.  It is not used at all for NFS.  For NIS
> (previously yellow pages) it can be used to find a local NIS server,
> though this can also be statically configured.

> In cases where broadcast-RPC is not needed, it is best to disable the
> port.  This patch adds a new "-b" option to disable broadcast RPC.

If this feature is wanted, I would suggest "-B". "-b" is used in ping for
broadcast, therefore this option looks like *enabling* broadcast instead of
disabling.

Otherwise LGTM.

Reviewed-by: Petr Vorel <pvorel@suse.cz>

Kind regards,
Petr
Roland Mainz March 4, 2024, 6:42 p.m. UTC | #2 
On Mon, Mar 4, 2024 at 7:32 PM Petr Vorel <pvorel@suse.cz> wrote:
> > From: NeilBrown <neilb@suse.com>
> > Support for broadcast RPC involves binding a second privileged
> > port.  It is possible that rpcbind might choose a port that some
> > other service will need, and that can cause problems.
>
> > Having this port open increases the attack surface of rpcbind.  RPC
> > replies can be sent to it by any host, and they will only be rejected
> > once they have been parsed enough to determine that the xid doesn't
> > match.
>
> > Boardcast is not widely used.  It is not used at all for NFS.  For NIS
> > (previously yellow pages) it can be used to find a local NIS server,
> > though this can also be statically configured.
>
> > In cases where broadcast-RPC is not needed, it is best to disable the
> > port.  This patch adds a new "-b" option to disable broadcast RPC.
>
> If this feature is wanted, I would suggest "-B". "-b" is used in ping for
> broadcast, therefore this option looks like *enabling* broadcast instead of
> disabling.

I agree with Petr...
... could you please add the comment about NIS/YP in the manpage too ?
And what about NIS+ ?

----

Bye,
Roland
diff mbox series

Patch

diff --git a/man/rpcbind.8 b/man/rpcbind.8
index 6ba318f5ff77..ba1b191b119d 100644
--- a/man/rpcbind.8
+++ b/man/rpcbind.8
@@ -103,6 +103,11 @@  With this option, the name-to-address translation consistency
 checks are shown in detail.
 .It Fl f
 Do not fork and become a background process.
+.It Fl b
+Do not support broadcast RPC and do not bind the extra port.
+This is useful if
+.Nm
+inadvertently binds a port that some other service needs to use.
 .It Fl h
 Specify specific IP addresses to bind to for UDP requests.
 This option may be specified multiple times and can be used to
diff --git a/src/rpcbind.c b/src/rpcbind.c
index ecebe97da435..4819d6e5ba41 100644
--- a/src/rpcbind.c
+++ b/src/rpcbind.c
@@ -87,6 +87,7 @@  int debugging = 0;	/* Tell me what's going on */
 int doabort = 0;	/* When debugging, do an abort on errors */
 int dofork = 1;		/* fork? */
 int createdsocket = 0;  /* Did I create the socket or systemd did it for me? */
+int dobroadcast = 1;	/* Support forwarding of broadcast RPC calls (CALLIT) */
 
 rpcblist_ptr list_rbl;	/* A list of version 3/4 rpcbind services */
 
@@ -801,7 +802,7 @@  got_socket:
 	/*
 	 * rmtcall only supported on CLTS transports for now.
 	 */
-	if (nconf->nc_semantics == NC_TPI_CLTS) {
+	if (dobroadcast && nconf->nc_semantics == NC_TPI_CLTS) {
 		status = create_rmtcall_fd(nconf);
 #ifdef RPCBIND_DEBUG
 		if (debugging) {
@@ -886,7 +887,7 @@  parseargs(int argc, char *argv[])
 {
 	int c;
 	oldstyle_local = 1;
-	while ((c = getopt(argc, argv, "adh:ilswf")) != -1) {
+	while ((c = getopt(argc, argv, "adh:ilswfb")) != -1) {
 		switch (c) {
 		case 'a':
 			doabort = 1;	/* when debugging, do an abort on */
@@ -921,8 +922,11 @@  parseargs(int argc, char *argv[])
 			warmstart = 1;
 			break;
 #endif
+		case 'b':
+			dobroadcast = 0;
+			break;
 		default:	/* error */
-			fprintf(stderr,	"usage: rpcbind [-adhilswf]\n");
+			fprintf(stderr,	"usage: rpcbind [-adhilswfb]\n");
 			exit (1);
 		}
 	}