This is the mail archive of the
mailing list for the glibc project.
Re: [PATCH] Don't bind to registered ports in bindresvport
- From: Dan Nicholson <dbn dot lists at gmail dot com>
- To: Florian Weimer <fw at deneb dot enyo dot de>
- Cc: Jeff Law <law at redhat dot com>, "Carlos O'Donell" <carlos at systemhalted dot org>, Adam Conrad <adconrad at debian dot org>, libc-alpha at sourceware dot org
- Date: Mon, 28 Jan 2013 05:46:41 -0800
- Subject: Re: [PATCH] Don't bind to registered ports in bindresvport
- References: <20120531153241.GA21672@buster.dwcab.com><CADZpyiyzShWCe1OgA0b+vZW6NQGT0Q9WUK4=jev5MRu7pUxKtQ@mail.gmail.com><20120601200113.GA24584@buster.dwcab.com><CADZpyizNLJkWKZKPhmb1GRZr33jsBR8wMkwE8EnN3nU8Mu_0cw@mail.gmail.com><20120604152538.GA13202@buster.dwcab.com><4FCE5688.firstname.lastname@example.org><CAMs08DKeaCEhW7OdUag3YN6+9nP45=8aZjWnOBYs0NCf5rKCcg@mail.gmail.com><20130112173711.GA7387@buster.dwcab.com><email@example.com>
On Sun, Jan 27, 2013 at 12:06 PM, Florian Weimer <firstname.lastname@example.org> wrote:
> * Dan Nicholson:
>> Let's just fix the problem at the source. On the first pass, avoid ports
>> that are registered in services. If no unregistered ports can be found,
>> fall back to taking the first randomly open port. On my fedora system,
>> 295 of the 541 ports between 512 and 1023 are unregistered. This should
>> avoid registered ports on most typical systems.
> BIND uses 921 and 953. 953 is also used by Unbound. 921 doesn't seem
> to be listed in /etc/services anywhere. Fedora has 953, but Debian
> doesn't. So the /etc/services approach does not seem particularly
I see your point, but isn't this just a bug in the configuration?
Shouldn't those ports just be added to services? Debian does control
the file. I don't see how that's any different than adding them to
/etc/bindresvport.blacklist except that /etc/services already exists
and has the vast majority of ports defined already.
Ignore the bindresvport issue for a moment. In this case, you have two
services that are using reserved ports that are not defined with IANA.
It seems to me that you can either add the ports to services
temporarily while working to get the ports registered with IANA, or
you can patch the packages so that they don't use reserved ports. To
me the first option seems preferable. What's the point of
/etc/services if not to describe what ports will be used by programs
on the system?
> There's a patch for another blacklist file,
> /etc/bindresvport.blacklist, which we use in Debian, but it does not
> work for some reason:
> I haven't yet found the cause of this bug. (In the bug, "eglibc"
> refers to the Debian source package. I don't think the patch was
I haven't looked at that patch in detail, but the concept seems fine
to me. I'd still prefer to just use /etc/services since it already
exists everywhere nearly fully formed, and /etc/bindresvport.blacklist
seems to have entirely duplicate functionality.