Please, Urgent: Need ideas/help to solve PR bin/51586

[LarsKöller]

----------

Hi!

In reply to Ian Freislich who wrote:
 
> Lars =?iso-8859-1?Q?K=F6ller?= wrote:
> > --------
> > 
> > Dear experts,
> > 
> > i've discussed the reported problem with our experts here at the =
> > computing center, and we don't have a clue for the problem reported in =
> > PR 51586.
> 
> It seems that your problem relates to rshd using privileged ports
> to create the stderr socket back to the originating rsh client.
> The interesting log message is in the messages file of the server
> running the remote shell daemon:
> 
> May  8 12:45:11 brane rshd[13988]: can't get stderr port: Can't assign requested address
> 
> rresvport_af(3) returns this error because I suspect that it thinks
> this address is already in use, perhaps because the address/port
> pair is in TIME_WAIT, although I don't have time to test this
> suspicion and my network programming and protocol experience is not
> good enough to say this is the case outright without testing.

NO,NO! Netstat says nothing about that. Even I tune msl time to go out 
of TIME_WAIT very fast (only intranet connection on same switch!).

The ethereal dump in the PR shown, that an initial communication takes 
place, but the final ACK to establish the connection fails!

> It seems that this problem is further compounded by inetd terminating
> the shell service when one of the rshd programs it ran returns an
> exit status other than 0, which rshd does when it encounters this
> error.  This simple patch to rshd.c (which is an unholy cludge until
> someone can fix the rresvport_af(3) function) makes rshd return an
> exit status of 0 on this particular error so at least inetd doesn't
> stop the service requiring a SIGHUP to restart it.  You can then
> test the return status of your rsh ($?) for a value of 1 and 'select:
> protocol failure in circuit setup' on stderr and retry that test.
> 
> (/usr/src/libexec/rshd, apply this, make and make install the patched rshd)
> --- rshd.c.orig Thu May  8 12:55:46 2003
> +++ rshd.c      Thu May  8 12:43:31 2003
> @@ -296,7 +296,7 @@
>                 s = rresvport_af(&lport, af);
>                 if (s < 0) {
>                         syslog(LOG_ERR, "can't get stderr port: %m");
> -                       exit(1);
> +                       exit(0);
>                 }
>                 if (port >= IPPORT_RESERVED ||
>                     port < IPPORT_RESERVED/2) {
> 
> I know this is a horrible solution and shouldn't be committed, but
> at least you have a work-around so you can get your virus scanner
> farm up in the mean time while someone fixes this propperly.

This dosen't help, cause the port can be reserved by the rshd. The 
problem is the establishing of the connection, so this is not the right 
place in the source.

However, the mailserver, which calls the rsh client is a solaris
8 machine :-(

A better solution was the possibility to disable the backport on the 
client side with a flag. But I don't know if the protocol works in this 
state, cause signaling is also send over this connection.

Many thanks for your suggestions

Lars

-- 
E-Mail: Lars.Koeller at Uni-Bielefeld.DE        \  Lars Köller
            lkoeller at FreeBSD.org              \  CC University of
PGP: http://www.uk.pgp.net/pgpnet/wwwkeys.html \  Bielefeld, Germany 
     Key-ID: A430D499                           \  Tel: +49 521 106 4964
----------- FreeBSD, what else? ---- http://www.freebsd.org -------------