Debian Bug report logs - #585122
Please make epmd bindable to only loopback address

version graph

Package: erlang-base; Maintainer for erlang-base is Debian Erlang Packagers <pkg-erlang-devel@lists.alioth.debian.org>; Source for erlang-base is src:erlang.

Reported by: Joerg Dorchain <joerg@dorchain.net>

Date: Wed, 9 Jun 2010 10:54:05 UTC

Severity: wishlist

Tags: patch, security, upstream

Found in version erlang/1:13.b.4-dfsg-5

Fixed in version 1:14.b.3-dfsg-1

Done: Sergei Golovan <sgolovan@nes.ru>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Erlang Packagers <pkg-erlang-devel@lists.alioth.debian.org>:
Bug#585122; Package erlang-base. (Wed, 09 Jun 2010 10:54:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Joerg Dorchain <joerg@dorchain.net>:
New Bug report received and forwarded. Copy sent to Debian Erlang Packagers <pkg-erlang-devel@lists.alioth.debian.org>. (Wed, 09 Jun 2010 10:54:08 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Joerg Dorchain <joerg@dorchain.net>
To: submit@bugs.debian.org
Subject: Please make epmd bindable to only loopback address
Date: Wed, 9 Jun 2010 12:53:44 +0200
[Message part 1 (text/plain, inline)]
Package: erlang-base
Version: 1:13.b.4-dfsg-5
Severity: wishlist
Tags: upstream, patch

Hello,

when used in conjunction with ejabberd, I only need to run erlang
programs on one single machine. It seems advisable that in such
cases the epmd binds only to the loopback address. (a similiar
option for the rpc portmap daemon exists)

The following patch allows for such an option. This would make it
possible to start e.g. ejabberd with -epmd "epmd -loopback"

Bye,

Joerg
--- erts/epmd/src/epmd.c.orig	2010-06-09 11:12:51.000000000 +0200
+++ erts/epmd/src/epmd.c	2010-06-09 11:19:55.000000000 +0200
@@ -248,6 +248,7 @@
 
     g->silent         = 0; 
     g->is_daemon      = 0;
+    g->bind_loopback  = 0;
     g->packet_timeout = CLOSE_TIMEOUT; /* Default timeout */
     g->delay_accept   = 0;
     g->delay_write    = 0;
@@ -283,6 +284,9 @@
 	} else if (strcmp(argv[0], "-daemon") == 0) {
 	    g->is_daemon = 1;
 	    argv++; argc--;
+	} else if (strcmp(argv[0], "-loopback") == 0) {
+	    g->bind_loopback = 1;
+	    argv++; argc--;
 	} else if (strcmp(argv[0], "-kill") == 0) {
 	    if (argc == 1)
 		kill_epmd(g);
@@ -468,7 +472,7 @@
 
 static void usage(EpmdVars *g)
 {
-    fprintf(stderr, "usage: epmd [-d|-debug] [DbgExtra...] [-port No] [-daemon]\n");
+    fprintf(stderr, "usage: epmd [-d|-debug] [DbgExtra...] [-port No] [-daemon] [-loopback]\n");
     fprintf(stderr, "            [-d|-debug] [-port No] [-names|-kill]\n\n");
     fprintf(stderr, "See the Erlang epmd manual page for info about the usage.\n");
     fprintf(stderr, "The -port and DbgExtra options are\n\n");
--- erts/epmd/src/epmd_int.h.orig	2010-06-09 11:11:48.000000000 +0200
+++ erts/epmd/src/epmd_int.h	2010-06-09 11:12:32.000000000 +0200
@@ -316,6 +316,7 @@
   int debug;
   int silent; 
   int is_daemon;
+  int bind_loopback;
   unsigned packet_timeout;
   unsigned delay_accept;
   unsigned delay_write;
--- erts/epmd/src/epmd_srv.c.orig	2010-06-09 11:20:27.000000000 +0200
+++ erts/epmd/src/epmd_srv.c	2010-06-09 11:22:54.000000000 +0200
@@ -173,7 +173,10 @@
 
   { /* store port number in unsigned short */
     unsigned short sport = g->port;
-    SET_ADDR_ANY(iserv_addr, FAMILY, sport);
+    if (g->bind_loopback)
+    	SET_ADDR_LOOPBACK(iserv_addr, FAMILY, sport);
+    else
+	SET_ADDR_ANY(iserv_addr, FAMILY, sport);
   }
   
 #ifdef _OSE_
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Erlang Packagers <pkg-erlang-devel@lists.alioth.debian.org>:
Bug#585122; Package erlang-base. (Wed, 09 Jun 2010 11:39:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sergei Golovan <sgolovan@nes.ru>:
Extra info received and forwarded to list. Copy sent to Debian Erlang Packagers <pkg-erlang-devel@lists.alioth.debian.org>. (Wed, 09 Jun 2010 11:39:03 GMT) Full text and rfc822 format available.

Message #10 received at 585122@bugs.debian.org (full text, mbox):

From: Sergei Golovan <sgolovan@nes.ru>
To: Joerg Dorchain <joerg@dorchain.net>, 585122@bugs.debian.org
Subject: Re: Bug#585122: Please make epmd bindable to only loopback address
Date: Wed, 9 Jun 2010 15:31:07 +0400
On Wed, Jun 9, 2010 at 2:53 PM, Joerg Dorchain <joerg@dorchain.net> wrote:
>
> Hello,
>
> when used in conjunction with ejabberd, I only need to run erlang
> programs on one single machine. It seems advisable that in such
> cases the epmd binds only to the loopback address. (a similiar
> option for the rpc portmap daemon exists)

I don't think that it's a good idea. Since epmd works silently it's easy
to create a mess if you'll start another Erlang application in distributed
mode (after ejabberd it'll be unusable, before ejabberd you'll get the
same binding to all interfaces but will not be aware of it). The less
options epmd supports the better.

I think that it's better to simply protect port 4369 by a firewall rule.

Cheers!
-- 
Sergei Golovan




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Erlang Packagers <pkg-erlang-devel@lists.alioth.debian.org>:
Bug#585122; Package erlang-base. (Wed, 09 Jun 2010 14:36:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Joerg Dorchain <joerg@dorchain.net>:
Extra info received and forwarded to list. Copy sent to Debian Erlang Packagers <pkg-erlang-devel@lists.alioth.debian.org>. (Wed, 09 Jun 2010 14:36:03 GMT) Full text and rfc822 format available.

Message #15 received at 585122@bugs.debian.org (full text, mbox):

From: Joerg Dorchain <joerg@dorchain.net>
To: Sergei Golovan <sgolovan@nes.ru>
Cc: 585122@bugs.debian.org
Subject: Re: Bug#585122: Please make epmd bindable to only loopback address
Date: Wed, 9 Jun 2010 16:27:00 +0200
On Wed, Jun 09, 2010 at 03:31:07PM +0400, Sergei Golovan wrote:
> 
> I don't think that it's a good idea. Since epmd works silently it's easy

This silence is a nightmare from a security point of view.

> to create a mess if you'll start another Erlang application in distributed
> mode (after ejabberd it'll be unusable, before ejabberd you'll get the
> same binding to all interfaces but will not be aware of it). The less

I can only repeat the well-known arguments for the rpc potmapper
daemon.

To me, it seems desirable to start epmd separately via
initscripts and dependancies prior to any programms needing it.
Same for portmapper, whose main application IMHO is nfs. Please
take a look at it and its debconf script.

If you like, please consider this as a suggestion to start epmd
that way. Any other erlang programmes, esp. daemons, can have a
dependancy on it.

> options epmd supports the better.

Well, only no options are good option, from that point of view.
As well as no open sockets are the only safe ones.
> 
> I think that it's better to simply protect port 4369 by a firewall rule.

This is only a weak workaround. Not everyone needs/wants to run
distributed applications. I absolutely do not like the idea of
opening a port "just in case" I ever need distributed systems.

Bye,

Joerg




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Erlang Packagers <pkg-erlang-devel@lists.alioth.debian.org>:
Bug#585122; Package erlang-base. (Sun, 22 Aug 2010 12:57:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Josef Spillner <2005@kuarepoti-dju.net>:
Extra info received and forwarded to list. Copy sent to Debian Erlang Packagers <pkg-erlang-devel@lists.alioth.debian.org>. (Sun, 22 Aug 2010 12:57:03 GMT) Full text and rfc822 format available.

Message #20 received at 585122@bugs.debian.org (full text, mbox):

From: Josef Spillner <2005@kuarepoti-dju.net>
To: 585122@bugs.debian.org
Subject: Comment on epmd binding behaviour
Date: Sun, 22 Aug 2010 14:53:18 +0200
I'm in favour of including the loopback binding. This is a standard option for 
most daemons in Debian. Forcing the user to close open ports with a firewall 
when the user isn't interested in the port being open to begin with seems like 
a bad design to me. A file /etc/epmd.conf would also be useful to have.

In addition, port 4369 should be registered in /etc/services, as should all 
ports which are somehow opened by daemons in Debian. Finally, I also agree to 
the creation of an init script so that epmd can be shut down through the 
standard interface instead of sending signals.




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Erlang Packagers <pkg-erlang-devel@lists.alioth.debian.org>:
Bug#585122; Package erlang-base. (Wed, 15 Dec 2010 21:45:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Holger Weiß <holger@CIS.FU-Berlin.DE>:
Extra info received and forwarded to list. Copy sent to Debian Erlang Packagers <pkg-erlang-devel@lists.alioth.debian.org>. (Wed, 15 Dec 2010 21:45:03 GMT) Full text and rfc822 format available.

Message #25 received at 585122@bugs.debian.org (full text, mbox):

From: Holger Weiß <holger@CIS.FU-Berlin.DE>
To: 585122@bugs.debian.org
Subject: Re: Please make epmd bindable to only loopback address
Date: Wed, 15 Dec 2010 22:43:31 +0100
* Joerg Dorchain <joerg@dorchain.net> [2010-06-09 12:53]:
> when used in conjunction with ejabberd, I only need to run erlang
> programs on one single machine. It seems advisable that in such
> cases the epmd binds only to the loopback address. (a similiar
> option for the rpc portmap daemon exists)
>
> The following patch allows for such an option.

FWIW, I created a patch which allows for specifying one or more IP
addresses epmd should bind to, it's currently cooking in upstream's "pu"
branch:

	https://github.com/erlang/otp/commit/bcf3b3d0




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Erlang Packagers <pkg-erlang-devel@lists.alioth.debian.org>:
Bug#585122; Package erlang-base. (Sun, 06 Feb 2011 02:39:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Peter Schwindt <peter+bdo@schwindt-net.de>:
Extra info received and forwarded to list. Copy sent to Debian Erlang Packagers <pkg-erlang-devel@lists.alioth.debian.org>. (Sun, 06 Feb 2011 02:39:03 GMT) Full text and rfc822 format available.

Message #30 received at 585122@bugs.debian.org (full text, mbox):

From: Peter Schwindt <peter+bdo@schwindt-net.de>
To: 585122@bugs.debian.org
Cc: control@bugs.debian.org, waldi@debian.org
Subject: Possible security bug
Date: Sun, 06 Feb 2011 03:29:01 +0100
tags 585122 security
thanks

As mentioned at http://person.zju.edu.cn/page1/ejabberd-en.htm#htoc67 a
remotely accessable epmd is a possible security problem where anyone can
connect with a rogue erlang node having full access at your node and its
(for example) mnesia data (think ejabberd).

Apart from that the suggested solution only helps on single-user
systems; sockets might be the better thing to implement.





Added tag(s) security. Request was from Peter Schwindt <peter+bdo@schwindt-net.de> to control@bugs.debian.org. (Sun, 06 Feb 2011 02:39:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Erlang Packagers <pkg-erlang-devel@lists.alioth.debian.org>:
Bug#585122; Package erlang-base. (Wed, 25 May 2011 16:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Konstantin Khomoutov <flatworm@users.sourceforge.net>:
Extra info received and forwarded to list. Copy sent to Debian Erlang Packagers <pkg-erlang-devel@lists.alioth.debian.org>. (Wed, 25 May 2011 16:27:03 GMT) Full text and rfc822 format available.

Message #37 received at 585122@bugs.debian.org (full text, mbox):

From: Konstantin Khomoutov <flatworm@users.sourceforge.net>
To: 585122@bugs.debian.org
Subject: Re: Bug#585122: Please make epmd bindable to only loopback address
Date: Wed, 25 May 2011 20:10:59 +0400
According to [1], epmd is now able to bind to specific address in
R14B03 (see "OTP-9213" entry there).

1. http://www.erlang.org/download/otp_src_R14B03.readme




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Erlang Packagers <pkg-erlang-devel@lists.alioth.debian.org>:
Bug#585122; Package erlang-base. (Thu, 25 Apr 2013 15:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Roland Hieber <rohieb@rohieb.name>:
Extra info received and forwarded to list. Copy sent to Debian Erlang Packagers <pkg-erlang-devel@lists.alioth.debian.org>.

Your message did not contain a Subject field. They are recommended and useful because the title of a $gBug is determined using this field. Please remember to include a Subject field in your messages in future.

(Thu, 25 Apr 2013 15:15:03 GMT) Full text and rfc822 format available.


Message #42 received at 585122@bugs.debian.org (full text, mbox):

From: Roland Hieber <rohieb@rohieb.name>
To: 585122@bugs.debian.org
Date: Thu, 25 Apr 2013 17:04:08 +0200
Is there any progress on this?

I can only support the -loopback option. How many users do need to run
distributed applications after all? And if they need to, they probably
know how to configure epmd properly. On the other hand, every single
user who chooses to install an Erlang application that does not
neccessarily need distributed access (like ejabberd, and even gwibber
through CouchDB) opens a security hole on their system WITHOUT EVEN
KNOWING (where is the /usr/share/doc/erlang-base/README entry for that?)

From a security standpoint, the strategy to bind to 0.0.0.0 by default
is absolute nonsense and potentially hurts more users than it eases
configuration. This is not the good old Debian way to do.

 - Roland



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Erlang Packagers <pkg-erlang-devel@lists.alioth.debian.org>:
Bug#585122; Package erlang-base. (Thu, 25 Apr 2013 17:39:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sergei Golovan <sgolovan@nes.ru>:
Extra info received and forwarded to list. Copy sent to Debian Erlang Packagers <pkg-erlang-devel@lists.alioth.debian.org>. (Thu, 25 Apr 2013 17:39:04 GMT) Full text and rfc822 format available.

Message #47 received at 585122@bugs.debian.org (full text, mbox):

From: Sergei Golovan <sgolovan@nes.ru>
To: Roland Hieber <rohieb@rohieb.name>, 585122@bugs.debian.org
Subject: Re: Bug#585122: (no subject)
Date: Thu, 25 Apr 2013 21:35:02 +0400
Hi Roland.

Currently, epmd looks at the ERL_EPMD_ADDRESS environment variable
which contains a comma separated list of IP addresses to bind. So, you
can bind epmd to the loopback address only (for wheezy and future
releases, not for squeeze).


On Thu, Apr 25, 2013 at 7:04 PM, Roland Hieber <rohieb@rohieb.name> wrote:
> Is there any progress on this?
>
> I can only support the -loopback option. How many users do need to run
> distributed applications after all? And if they need to, they probably
> know how to configure epmd properly. On the other hand, every single
> user who chooses to install an Erlang application that does not
> neccessarily need distributed access (like ejabberd, and even gwibber
> through CouchDB) opens a security hole on their system WITHOUT EVEN
> KNOWING (where is the /usr/share/doc/erlang-base/README entry for that?)
>
> From a security standpoint, the strategy to bind to 0.0.0.0 by default
> is absolute nonsense and potentially hurts more users than it eases
> configuration. This is not the good old Debian way to do.
>
>  - Roland
>



-- 
Sergei Golovan



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Erlang Packagers <pkg-erlang-devel@lists.alioth.debian.org>:
Bug#585122; Package erlang-base. (Thu, 25 Apr 2013 22:39:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Roland Hieber <rohieb@rohieb.name>:
Extra info received and forwarded to list. Copy sent to Debian Erlang Packagers <pkg-erlang-devel@lists.alioth.debian.org>. (Thu, 25 Apr 2013 22:39:04 GMT) Full text and rfc822 format available.

Message #52 received at 585122@bugs.debian.org (full text, mbox):

From: Roland Hieber <rohieb@rohieb.name>
To: Sergei Golovan <sgolovan@nes.ru>
Cc: 585122@bugs.debian.org
Subject: Re: Bug#585122: (no subject)
Date: Fri, 26 Apr 2013 00:37:26 +0200
Cool, not so intuitive like a command-line option, but definitely a step
in the right direction. Thanks for the info!

 - Roland



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Erlang Packagers <pkg-erlang-devel@lists.alioth.debian.org>:
Bug#585122; Package erlang-base. (Fri, 26 Apr 2013 04:24:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sergei Golovan <sgolovan@nes.ru>:
Extra info received and forwarded to list. Copy sent to Debian Erlang Packagers <pkg-erlang-devel@lists.alioth.debian.org>. (Fri, 26 Apr 2013 04:24:04 GMT) Full text and rfc822 format available.

Message #57 received at 585122@bugs.debian.org (full text, mbox):

From: Sergei Golovan <sgolovan@nes.ru>
To: Roland Hieber <rohieb@rohieb.name>
Cc: 585122@bugs.debian.org
Subject: Re: Bug#585122: (no subject)
Date: Fri, 26 Apr 2013 08:21:03 +0400
Hi!

On Fri, Apr 26, 2013 at 2:37 AM, Roland Hieber <rohieb@rohieb.name> wrote:
> Cool, not so intuitive like a command-line option, but definitely a step
> in the right direction. Thanks for the info!

epmd is rarely called directly from a command line. Usually, some
distributed Erlang application executes it if it isn't listening on
port 4369.

Cheers!
--
Sergei Golovan



Reply sent to Sergei Golovan <sgolovan@nes.ru>:
You have taken responsibility. (Fri, 26 Apr 2013 11:45:16 GMT) Full text and rfc822 format available.

Notification sent to Joerg Dorchain <joerg@dorchain.net>:
Bug acknowledged by developer. (Fri, 26 Apr 2013 11:45:16 GMT) Full text and rfc822 format available.

Message #62 received at 585122-close@bugs.debian.org (full text, mbox):

From: Sergei Golovan <sgolovan@nes.ru>
To: Roland Hieber <rohieb@rohieb.name>
Cc: 585122-close@bugs.debian.org
Subject: Re: Bug#585122: (no subject)
Date: Fri, 26 Apr 2013 15:40:59 +0400
Version: 1:14.b.3-dfsg-1

On Fri, Apr 26, 2013 at 8:21 AM, Sergei Golovan <sgolovan@nes.ru> wrote:
> Hi!
>
> On Fri, Apr 26, 2013 at 2:37 AM, Roland Hieber <rohieb@rohieb.name> wrote:
>> Cool, not so intuitive like a command-line option, but definitely a step
>> in the right direction. Thanks for the info!
>
> epmd is rarely called directly from a command line. Usually, some
> distributed Erlang application executes it if it isn't listening on
> port 4369.

In fact, there is a command line option. -address. It was introduced
in version R14B03.
So, I'm closing this bug.

Cheers!
--
Sergei Golovan



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 25 May 2013 07:27:02 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 11:40:37 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.