From lennox@cs.columbia.edu  Fri Sep  5 10:22:29 2003
Return-Path: <lennox@cs.columbia.edu>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2B54216A4BF
	for <FreeBSD-gnats-submit@freebsd.org>; Fri,  5 Sep 2003 10:22:29 -0700 (PDT)
Received: from cs.columbia.edu (cs.columbia.edu [128.59.16.20])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0DF9843F3F
	for <FreeBSD-gnats-submit@freebsd.org>; Fri,  5 Sep 2003 10:22:28 -0700 (PDT)
	(envelope-from lennox@cs.columbia.edu)
Received: from cnr.cs.columbia.edu (cnr.cs.columbia.edu [128.59.19.133])
	by cs.columbia.edu (8.12.9/8.12.9) with ESMTP id h85HMQaH002522
	(version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NOT)
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 5 Sep 2003 13:22:27 -0400 (EDT)
Received: from cnr.cs.columbia.edu (localhost [127.0.0.1])
	by cnr.cs.columbia.edu (8.12.9/8.12.9) with ESMTP id h85HMQYj085466
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 5 Sep 2003 13:22:26 -0400 (EDT)
	(envelope-from lennox@cnr.cs.columbia.edu)
Received: (from lennox@localhost)
	by cnr.cs.columbia.edu (8.12.9/8.12.9/Submit) id h85HMPbj085465;
	Fri, 5 Sep 2003 13:22:25 -0400 (EDT)
Message-Id: <200309051722.h85HMPbj085465@cnr.cs.columbia.edu>
Date: Fri, 5 Sep 2003 13:22:25 -0400 (EDT)
From: Jonathan Lennox <lennox@cs.columbia.edu>
Reply-To: Jonathan Lennox <lennox@cs.columbia.edu>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: rpc.lockd needs to use reserved ports
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         56500
>Category:       bin
>Synopsis:       rpc.lockd needs to use reserved ports
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    roam
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Sep 05 10:30:13 PDT 2003
>Closed-Date:    Sun Jun 10 06:22:17 GMT 2007
>Last-Modified:  Sun Jun 10 06:22:17 GMT 2007
>Originator:     Jonathan Lennox
>Release:        FreeBSD 5.1-RELEASE-p2 i386
>Organization:
Columbia University
>Environment:
System: FreeBSD cnr.cs.columbia.edu 5.1-RELEASE-p2 FreeBSD 5.1-RELEASE-p2 #1: Thu Sep 4 18:18:39 EDT 2003 lennox@cnr.cs.columbia.edu:/usr/obj/usr/src/sys/CNR i386

>Description:
Many NFS servers refuse client requests from unreserved (allegedly
"insecure") UDP ports.

The FreeBSD NFS client correctly deals with this, by always using reserved
ports.  However, rpc.lockd, which as of FreeBSD 5.x handles client-side NLM
locks, doesn't.

NFS servers -- notably Linux's -- that want NFS requests to come from
reserved ports often want NLM requests to come from reserved ports as well.
Thus, for the same reason as this was needed for the NFS client in the
kernel, the NLM client in rpc.lockd needs to send its RPC messages from a
reserved port.

>How-To-Repeat:
* Install the patch in kern/56461 and rebuild your kernel and rpc.lockd,
  or you'll freeze when you try to lock from a Linux server, and never
  get as far as this bug.

* Make sure rpc.statd and rpc.lockd are running.

* NFS mount a filesystem from a Linux fileserver.

* (Run ethereal, if you're curious about what NLM messages are actually
  appearing on the wire.)

* Try to lock a file (with flock() or lockf()) from the Linux
  fileserver.

* Notice that flock() or lockf() returned EAGAIN.

* In ethereal, notice that the RPC call returned the status NLM_DENIED.

* In /var/log/messages (or wherever it puts it) on the Linux host,
  notice the message of the form 
Sep  5 12:58:23 pennstation kernel: nfsd: request from insecure port (803b1385:49646)!

>Fix:

In rpc.lockd, bind the NLM client to a reserved source port.
Unfortunately, I don't know enough RPC hacking to write a patch.

I tried using the "insecure" NFS option in /etc/exports on the Linux host,
as a workaround, but this didn't actually avoid the problem.
>Release-Note:
>Audit-Trail:

From: Jonathan Lennox <lennox@cs.columbia.edu>
To: FreeBSD-gnats-submit@FreeBSD.org, freebsd-bugs@FreeBSD.org
Cc:  
Subject: Re: bin/56500: rpc.lockd needs to use reserved ports
Date: Sat, 6 Sep 2003 13:28:13 -0400

 After a day or so of untangling how RPC code works, I've worked out a patch.
 
 I'm pretty sure that this patch regains root privileges for the absolute
 minimum amount of time necessary to bind to a reserved port.
 
 I've tested this, and it does (along with the patch in kern/56461) allow me
 to sucessfully lock files from a Linux server -- and thus to invoke movemail
 on my mailspool, and thus to read my mail on my FreeBSD machine, which was
 the whole motivation.
 
 --- usr.sbin/rpc.lockd/lock_proc.c.orig	Sat Sep  6 12:48:10 2003
 +++ usr.sbin/rpc.lockd/lock_proc.c	Sat Sep  6 13:18:08 2003
 @@ -197,6 +197,8 @@
  	const char *netid;
  	struct netconfig *nconf;
  	char host[NI_MAXHOST];
 +	uid_t old_euid;
 +	int clnt_fd;
  
  	gettimeofday(&time_now, NULL);
  
 @@ -270,6 +272,22 @@
  		syslog(LOG_ERR, "Unable to return result to %s", host);
  		return NULL;
  	}
 +
 +	/* Get the FD of the client, for bindresvport. */ 
 +	clnt_control(client, CLGET_FD, &clnt_fd);
 +
 +	/* Regain root privileges, for bindresvport. */
 +	old_euid = geteuid();
 +	seteuid(0);
 +
 +	/*
 +	 * Bind the client FD to a reserved port.
 +	 * Some NFS servers reject any NLM request from a non-reserved port. 
 +	 */ 
 +	bindresvport(clnt_fd, NULL);
 +
 +	/* Drop root privileges again. */
 +	seteuid(old_euid);
  
  	/* Success - update the cache entry */
  	clnt_cache_ptr[clnt_cache_next_to_use] = client;

From: Jonathan Lennox <lennox@cs.columbia.edu>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: bin/56500: rpc.lockd needs to use reserved ports
Date: Tue, 13 Jan 2004 17:12:38 -0500

 This problem is still present in FreeBSD 5.2-RELEASE.
State-Changed-From-To: open->patched 
State-Changed-By: roam 
State-Changed-When: Thu Mar 4 07:52:53 PST 2004 
State-Changed-Why:  
Committed to -CURRENT, MFC to -STABLE in a week. 
Thanks for the research and the patch! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=56500 
Responsible-Changed-From-To: freebsd-bugs->roam 
Responsible-Changed-By: bms 
Responsible-Changed-When: Fri Jun 18 10:20:38 GMT 2004 
Responsible-Changed-Why:  
Don't forget to MFC this 

http://www.freebsd.org/cgi/query-pr.cgi?pr=56500 

From: Peter Pentchev <roam@ringlet.net>
To: Bruce M Simpson <bms@FreeBSD.org>
Cc: bug-followup@FreeBSD.org
Subject: Re: bin/56500: rpc.lockd needs to use reserved ports
Date: Fri, 18 Jun 2004 13:24:45 +0300

 --TYecfFk8j8mZq+dy
 Content-Type: text/plain; charset=windows-1251
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 On Fri, Jun 18, 2004 at 10:20:50AM +0000, Bruce M Simpson wrote:
 > Synopsis: rpc.lockd needs to use reserved ports
 >=20
 > Responsible-Changed-From-To: freebsd-bugs->roam
 > Responsible-Changed-By: bms
 > Responsible-Changed-When: Fri Jun 18 10:20:38 GMT 2004
 > Responsible-Changed-Why:=20
 > Don't forget to MFC this
 
 I haven't forgotten, not really :)  The problem is that -STABLE's
 rpc.lockd is quite different (-STABLE does not have TI-RPC yet, and
 I don't think it ever will), so this was not a matter of a straight
 merge.
 
 G'luck,
 Peter
 
 --=20
 Peter Pentchev	roam@ringlet.net    roam@sbnd.net    roam@FreeBSD.org
 PGP key:	http://people.FreeBSD.org/~roam/roam.key.asc
 Key fingerprint	FDBA FD79 C26F 3C51 C95E  DF9E ED18 B68D 1619 4553
 You have, of course, just begun reading the sentence that you have just fin=
 ished reading.
 
 --TYecfFk8j8mZq+dy
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.2.4 (FreeBSD)
 
 iD8DBQFA0sLt7Ri2jRYZRVMRAtiqAJ9vVePOC4QwTSDz6nnwiOZqNf7rzwCgqHQ7
 9O9nzANKBnfuFHpmrPlhWc8=
 =hdpZ
 -----END PGP SIGNATURE-----
 
 --TYecfFk8j8mZq+dy--

From: Peter Pentchev <roam@ringlet.net>
To: Bruce M Simpson <bms@FreeBSD.org>
Cc: bug-followup@FreeBSD.org
Subject: Re: bin/56500: rpc.lockd needs to use reserved ports
Date: Fri, 18 Jun 2004 13:25:31 +0300

 --zbGR4y+acU1DwHSi
 Content-Type: text/plain; charset=windows-1251
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 On Fri, Jun 18, 2004 at 01:24:45PM +0300, Peter Pentchev wrote:
 > On Fri, Jun 18, 2004 at 10:20:50AM +0000, Bruce M Simpson wrote:
 > > Synopsis: rpc.lockd needs to use reserved ports
 > >=20
 > > Responsible-Changed-From-To: freebsd-bugs->roam
 > > Responsible-Changed-By: bms
 > > Responsible-Changed-When: Fri Jun 18 10:20:38 GMT 2004
 > > Responsible-Changed-Why:=20
 > > Don't forget to MFC this
 >=20
 > I haven't forgotten, not really :)  The problem is that -STABLE's
 > rpc.lockd is quite different (-STABLE does not have TI-RPC yet, and
 > I don't think it ever will), so this was not a matter of a straight
 > merge.
 
 That didn't sound quite right, did it now...  I'm not objecting to
 your assigning this PR to me.  I'm just trying to find an excuse for
 not having done it yet :)
 
 G'luck,
 Peter
 
 --=20
 Peter Pentchev	roam@ringlet.net    roam@sbnd.net    roam@FreeBSD.org
 PGP key:	http://people.FreeBSD.org/~roam/roam.key.asc
 Key fingerprint	FDBA FD79 C26F 3C51 C95E  DF9E ED18 B68D 1619 4553
 If I were you, who would be reading this sentence?
 
 --zbGR4y+acU1DwHSi
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.2.4 (FreeBSD)
 
 iD8DBQFA0sMb7Ri2jRYZRVMRAnXiAJ9+UVwwPiV9bRJd+FJgAVrjKIxeKgCghnnu
 YiqQnag7rQcZood/TNPC9Ko=
 =ds01
 -----END PGP SIGNATURE-----
 
 --zbGR4y+acU1DwHSi--

From: Gavin Atkinson <gavin.atkinson@ury.york.ac.uk>
To: bug-followup@FreeBSD.org, lennox@cs.columbia.edu
Cc: roam@FreeBSD.org
Subject: Re: bin/56500: rpc.lockd needs to use reserved ports
Date: Wed, 09 May 2007 18:29:34 +0100

 The discussed patch was committed to src/usr.sbin/rpc.lockd/lock_proc.c
 as rev. 1.13, which was before FreeBSD 5.3 was released.  Therefore,
 this change is in all currently supported versions of FreeBSD, and it's
 unlikely that it will be backported to the EOL RELENG_4 branch,
 especially given that it is apparently not a simple job.
 
 roam, this PR is assigned to you.  Can it be closed?
 
 Thanks,
 
 Gavin
State-Changed-From-To: patched->closed 
State-Changed-By: linimon 
State-Changed-When: Sun Jun 10 06:22:06 UTC 2007 
State-Changed-Why:  
RELENG_4 is now out of support, so this PR is obsolete. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=56500 
>Unformatted:
