Portmap against cups

Michael Sweet mike at easysw.com
Thu May 29 11:11:36 PDT 2008 

Boris Vinarsky wrote:
>> Boris Vinarsky wrote:
>>> We noticed that occasionally CUPS service fails to start on our
>>> RHEL4 desktops because port 631 was busy. The reason was that
>>> portmapper service which selects ports in the range 600-1023
>>> essentially randomly would assign ports 631 to ypbind or nfs.lock
>>> which start before cups.
>>> 
>>> This issue is discussed at
>>> https://bugzilla.redhat.com/show_bug.cgi?id=103401
>>> 
>>> Does anybody have a good idea on how to resolve this collision?
> Thank you for your suggestions.
> 
>> Start cups before portmap?
>> 
> See comment #13
> https://bugzilla.redhat.com/show_bug.cgi?id=103401#c13 In a nutshell
> if cups starts before services using portmap, and portmap assigns
> port 631 to one of these services it will not start. Imagine NIS not
> starting because cups is occupying port assigned to it.
> 
>> Fix portmap to not use well-known privileged ports?
>> 
> This sounds good, just requires to reconfigure massive number of
> hosts on different platforms, and to pray that nothing in cups is
> hard coded for port 631. If Linux vendor decides to patch cups there
> is a good chance that config file will be replaced without honoring
> the port change. I wonder why this port was selected in a first place
> considering that it may collide with NFS, NIS, and other security
> sensitive services. Until I know the reason I am reluctant to change
> the port number.

Port 631 is a "well-known port" assigned by the IETF and IANA, which
manage port assignments for IP services.  NFS has several assignments
to (different) non-privileged ports, and NIS has *no* assignments with
IANA.

See:

     http://www.iana.org/assignments/port-numbers

The bug you linked to includes several possible solutions; another
is to simply stop using privileged ports entirely and let the OS
assign the next available non-privileged port.  "Security by
privileged port" is a holdover from the original BSD UNIX days on
expensive mainframe/minicomputers...

In any case, CUPS is doing the right thing by using the port assigned
for IPP.  Portmap is doing the wrong thing by using privileged ports
that are assigned to well-known services.

If you really want to, you can give CUPS a different port number -
change the port for "ipp" in /etc/services and the port numbers used
in /etc/cups/cupsd.conf and restart cupsd on all systems.

-- 
______________________________________________________________________
Michael Sweet, Easy Software Products           mike at easysw dot com

More information about the cups mailing list