Date: Thu, 08 May 2003 13:46:16 +0200 From: Lars =?iso-8859-1?Q?K=F6ller?= <Lars.Koeller@Uni-Bielefeld.DE> To: Ian Freislich <ianf@za.uu.net> Cc: Lars =?iso-8859-1?Q?K=F6ller?= <Lars.Koeller@Uni-Bielefeld.DE> Subject: Re: Please, Urgent: Need ideas/help to solve PR bin/51586 Message-ID: <200305081146.h48BkHP13996@rayadm.hrz.uni-bielefeld.de> In-Reply-To: Message from Ian Freislich <ianf@za.uu.net> "of Thu, 08 May 2003 13:05:23 %2B0200." <40144.1052391923@wcom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
----------
Hi!
In reply to Ian Freislich who wrote:
=
> Lars =3D?iso-8859-1?Q?K=3DF6ller?=3D wrote:
> > --------
> > =
> > Dear experts,
> > =
> > i've discussed the reported problem with our experts here at the =3D
> > computing center, and we don't have a clue for the problem reported i=
n =3D
> > PR 51586.
> =
> It seems that your problem relates to rshd using privileged ports
> to create the stderr socket back to the originating rsh client.
> The interesting log message is in the messages file of the server
> running the remote shell daemon:
> =
> May 8 12:45:11 brane rshd[13988]: can't get stderr port: Can't assign =
requested address
> =
> rresvport_af(3) returns this error because I suspect that it thinks
> this address is already in use, perhaps because the address/port
> pair is in TIME_WAIT, although I don't have time to test this
> suspicion and my network programming and protocol experience is not
> good enough to say this is the case outright without testing.
NO,NO! Netstat says nothing about that. Even I tune msl time to go out =
of TIME_WAIT very fast (only intranet connection on same switch!).
The ethereal dump in the PR shown, that an initial communication takes =
place, but the final ACK to establish the connection fails!
> It seems that this problem is further compounded by inetd terminating
> the shell service when one of the rshd programs it ran returns an
> exit status other than 0, which rshd does when it encounters this
> error. This simple patch to rshd.c (which is an unholy cludge until
> someone can fix the rresvport_af(3) function) makes rshd return an
> exit status of 0 on this particular error so at least inetd doesn't
> stop the service requiring a SIGHUP to restart it. You can then
> test the return status of your rsh ($?) for a value of 1 and 'select:
> protocol failure in circuit setup' on stderr and retry that test.
> =
> (/usr/src/libexec/rshd, apply this, make and make install the patched r=
shd)
> --- rshd.c.orig Thu May 8 12:55:46 2003
> +++ rshd.c Thu May 8 12:43:31 2003
> @@ -296,7 +296,7 @@
> s =3D rresvport_af(&lport, af);
> if (s < 0) {
> syslog(LOG_ERR, "can't get stderr port: %m");
> - exit(1);
> + exit(0);
> }
> if (port >=3D IPPORT_RESERVED ||
> port < IPPORT_RESERVED/2) {
> =
> I know this is a horrible solution and shouldn't be committed, but
> at least you have a work-around so you can get your virus scanner
> farm up in the mean time while someone fixes this propperly.
This dosen't help, cause the port can be reserved by the rshd. The =
problem is the establishing of the connection, so this is not the right =
place in the source.
However, the mailserver, which calls the rsh client is a solaris
8 machine :-(
A better solution was the possibility to disable the backport on the =
client side with a flag. But I don't know if the protocol works in this =
state, cause signaling is also send over this connection.
Many thanks for your suggestions
Lars
-- =
E-Mail: Lars.Koeller@Uni-Bielefeld.DE \ Lars K=F6ller
lkoeller@FreeBSD.org \ CC University of
PGP: http://www.uk.pgp.net/pgpnet/wwwkeys.html \ Bielefeld, Germany =
Key-ID: A430D499 \ Tel: +49 521 106 4964
----------- FreeBSD, what else? ---- http://www.freebsd.org -------------=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200305081146.h48BkHP13996>