On Fri, 19 Aug 2011, Guus Sliepen <g...@debian.org> wrote: > We could also patch bindresvport() to skip all ports mentioned in > /etc/services, to get similar behaviour as with SE Linux. Or patch the > programs using it to first try to bind to a static port that does not > conflict with those in /etc/services, and if that fails fall back to > bindresvport().
That would be a viable option. On my system there are 124 TCP ports listed with numbers <1024 (which seems to be the main problem area). Losing 12% of the address space seems viable. One thing to note when comparing this to SE Linux is that the SE Linux policy labels some ports that aren't in /etc/services but which are in relatively common use. One example is port 24 for LMTP. Also with SE Linux there is an easy way of adding new port labels and as the typical daemon won't be permitted to bind to an unlabeled port the sysadmin is compelled to do the correct thing. Now one could patch bindresvport() to also check /etc/services.local or some other source of configuration information about which ports are likely to be used. But getting the users to accept that will take some effort. Of course most users just don't have enough RPC traffic to generate the problem. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201108191920.49612.russ...@coker.com.au
