FS#76453 - [nfs-utils] rpcbind is optional and causes security issues

Attached to Project: Arch Linux
Opened by Robotic-Brain (Robotic-Brain) - Sunday, 06 November 2022, 17:23 GMT
Last edited by Andreas Radke (AndyRTR) - Tuesday, 24 January 2023, 19:52 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Tobias Powalowski (tpowa)
Andreas Radke (AndyRTR)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 3
Private No

Details

Description:

When using NFS in NFSv4 only mode rpcbind is completely unnecessary,
however the installed systemd units will cause rpc.mountd, rpc.statd, etc. to start and listen on the ANY address, not honoring the settings of nfs.conf.

A System administrator would have to take care of this manually, if they notice this unwanted behavior at all.

In accordance with the arch philosophy of "install != enable" i would suggest to change "rpcbind" to an optional dependency instead.

Additional info:
* package version(s)
rpcbind-1.2.6-2

* link to upstream bug report, if any
This is a packaging only bug

Steps to reproduce:
1. Install nfs-utils
2. set vers2=off and vers3=off in nfs.conf
3. start/enable nfs-server.service
4. Use ss -tua to verify mountd and statd are listening on ANY address
This task depends upon

Closed by  Andreas Radke (AndyRTR)
Tuesday, 24 January 2023, 19:52 GMT
Reason for closing:  Upstream
Additional comments about closing:  Arch philosophy is to ship plain upstream releases.
Comment by Toolybird (Toolybird) - Sunday, 06 November 2022, 22:18 GMT
Related [1]

[1] https://bbs.archlinux.org/viewtopic.php?id=193629
Comment by Andreas Radke (AndyRTR) - Monday, 07 November 2022, 19:09 GMT
https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=blob;f=systemd/nfs-server.service;h=b432f9102d0c50061890b511de1d61069f435991;hb=refs/heads/master

nfs-server.service only "Wants=rpcbind.socket" - so the socket should start the service only when actually needed.

If you think there's a better way for upstream to deal with this feel free to send changes or ask at the linux-nfs kernel list.

Comment by Robotic-Brain (Robotic-Brain) - Monday, 07 November 2022, 19:29 GMT
During my testing rpcbind was always started, no matter what.
The simplest solution was to just uninstall rpcbind while ignoring the broken pacman dependency,
and masking the rpc related unit files.

Hence my suggestion to convert the rpcbind dependency into an optional one, so pacman stays happy.

I agree that ideally NFSv4 should be separated out from upstream in the first place, but this solution is more involved.
Comment by John (graysky) - Monday, 16 January 2023, 15:04 GMT
I can confirm that moving rpcbind to optdeps allows pure nfsv4 shares to work as expected.

Loading...