Please, Urgent: Need ideas/help to solve PR bin/51586

Thu May 8 04:05:52 PDT 2003

Lars =?iso-8859-1?Q?K=F6ller?= wrote:
> --------
> 
> Dear experts,
> 
> i've discussed the reported problem with our experts here at the =
> computing center, and we don't have a clue for the problem reported in =
> PR 51586.

It seems that your problem relates to rshd using privileged ports
to create the stderr socket back to the originating rsh client.
The interesting log message is in the messages file of the server
running the remote shell daemon:

May  8 12:45:11 brane rshd[13988]: can't get stderr port: Can't assign requested address

rresvport_af(3) returns this error because I suspect that it thinks
this address is already in use, perhaps because the address/port
pair is in TIME_WAIT, although I don't have time to test this
suspicion and my network programming and protocol experience is not
good enough to say this is the case outright without testing.

It seems that this problem is further compounded by inetd terminating
the shell service when one of the rshd programs it ran returns an
exit status other than 0, which rshd does when it encounters this
error.  This simple patch to rshd.c (which is an unholy cludge until
someone can fix the rresvport_af(3) function) makes rshd return an
exit status of 0 on this particular error so at least inetd doesn't
stop the service requiring a SIGHUP to restart it.  You can then
test the return status of your rsh ($?) for a value of 1 and 'select:
protocol failure in circuit setup' on stderr and retry that test.

(/usr/src/libexec/rshd, apply this, make and make install the patched rshd)

--- rshd.c.orig Thu May  8 12:55:46 2003
+++ rshd.c      Thu May  8 12:43:31 2003
@@ -296,7 +296,7 @@
                s = rresvport_af(&lport, af);
                if (s < 0) {
                        syslog(LOG_ERR, "can't get stderr port: %m");
-                       exit(1);
+                       exit(0);
                }
                if (port >= IPPORT_RESERVED ||
                    port < IPPORT_RESERVED/2) {

I know this is a horrible solution and shouldn't be committed, but
at least you have a work-around so you can get your virus scanner
farm up in the mean time while someone fixes this propperly.

Ian
