Portmap against cups
mike at easysw.com
Thu May 29 11:11:36 PDT 2008
Boris Vinarsky wrote:
>> Boris Vinarsky wrote:
>>> We noticed that occasionally CUPS service fails to start on our
>>> RHEL4 desktops because port 631 was busy. The reason was that
>>> portmapper service which selects ports in the range 600-1023
>>> essentially randomly would assign ports 631 to ypbind or nfs.lock
>>> which start before cups.
>>> This issue is discussed at
>>> Does anybody have a good idea on how to resolve this collision?
> Thank you for your suggestions.
>> Start cups before portmap?
> See comment #13
> https://bugzilla.redhat.com/show_bug.cgi?id=103401#c13 In a nutshell
> if cups starts before services using portmap, and portmap assigns
> port 631 to one of these services it will not start. Imagine NIS not
> starting because cups is occupying port assigned to it.
>> Fix portmap to not use well-known privileged ports?
> This sounds good, just requires to reconfigure massive number of
> hosts on different platforms, and to pray that nothing in cups is
> hard coded for port 631. If Linux vendor decides to patch cups there
> is a good chance that config file will be replaced without honoring
> the port change. I wonder why this port was selected in a first place
> considering that it may collide with NFS, NIS, and other security
> sensitive services. Until I know the reason I am reluctant to change
> the port number.
Port 631 is a "well-known port" assigned by the IETF and IANA, which
manage port assignments for IP services. NFS has several assignments
to (different) non-privileged ports, and NIS has *no* assignments with
The bug you linked to includes several possible solutions; another
is to simply stop using privileged ports entirely and let the OS
assign the next available non-privileged port. "Security by
privileged port" is a holdover from the original BSD UNIX days on
In any case, CUPS is doing the right thing by using the port assigned
for IPP. Portmap is doing the wrong thing by using privileged ports
that are assigned to well-known services.
If you really want to, you can give CUPS a different port number -
change the port for "ipp" in /etc/services and the port numbers used
in /etc/cups/cupsd.conf and restart cupsd on all systems.
Michael Sweet, Easy Software Products mike at easysw dot com
More information about the cups