This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH] Don't bind to registered ports in bindresvport
- From: Florian Weimer <fw at deneb dot enyo dot de>
- To: Dan Nicholson <dbn dot lists at gmail dot com>
- Cc: Jeff Law <law at redhat dot com>, Carlos O'Donell <carlos at systemhalted dot org>, Adam Conrad <adconrad at debian dot org>, libc-alpha at sourceware dot org
- Date: Sun, 27 Jan 2013 21:06:18 +0100
- Subject: Re: [PATCH] Don't bind to registered ports in bindresvport
- References: <20120531153241.GA21672@buster.dwcab.com><CADZpyiyzShWCe1OgA0b+vZW6NQGT0Q9WUK4=jev5MRu7pUxKtQ@mail.gmail.com><20120601200113.GA24584@buster.dwcab.com><CADZpyizNLJkWKZKPhmb1GRZr33jsBR8wMkwE8EnN3nU8Mu_0cw@mail.gmail.com><20120604152538.GA13202@buster.dwcab.com><4FCE5688.9060700@redhat.com><CAMs08DKeaCEhW7OdUag3YN6+9nP45=8aZjWnOBYs0NCf5rKCcg@mail.gmail.com><20130112173711.GA7387@buster.dwcab.com>
* Dan Nicholson:
> Let's just fix the problem at the source. On the first pass, avoid ports
> that are registered in services. If no unregistered ports can be found,
> fall back to taking the first randomly open port. On my fedora system,
> 295 of the 541 ports between 512 and 1023 are unregistered. This should
> avoid registered ports on most typical systems.
BIND uses 921 and 953. 953 is also used by Unbound. 921 doesn't seem
to be listed in /etc/services anywhere. Fedora has 953, but Debian
doesn't. So the /etc/services approach does not seem particularly
reliable.
There's a patch for another blacklist file,
/etc/bindresvport.blacklist, which we use in Debian, but it does not
work for some reason:
<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=687210>
I haven't yet found the cause of this bug. (In the bug, "eglibc"
refers to the Debian source package. I don't think the patch was
upstreamed.)