Bug 33254

Summary: TCP/UDP port 4660 for NFS?
Product: UCS Reporter: Philipp Hahn <hahn>
Component: NFSAssignee: Philipp Hahn <hahn>
Status: CLOSED FIXED QA Contact: Jürn Brodersen <brodersen>
Severity: normal    
Priority: P5 CC: gohmann
Version: UCS 4.2Flags: hahn: Patch_Available+
Target Milestone: UCS 4.2-1-errata   
Hardware: All   
OS: Linux   
What kind of report is it?: Security Issue What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score:

Description Philipp Hahn univentionstaff 2013-11-11 15:58:15 CET 
debian/univention-nfs-server.postinst
> »··»···ucr set ...
> »··»···»···security/packetfilter/package/univention-nfs/tcp/4660/all="ACCEPT" \
> »··»···»···security/packetfilter/package/univention-nfs/tcp/4660/all/en="NFS" \
> »··»···»···security/packetfilter/package/univention-nfs/udp/4660/all="ACCEPT" \
> »··»···»···security/packetfilter/package/univention-nfs/udp/4660/all/en="NFS" \

Why?
AFAIK that port doesn't have anything to do with NFS.
Comment 1 Philipp Hahn univentionstaff 2013-11-11 16:30:23 CET 
Perhaps it was <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=484861> = <https://bugzilla.linux-nfs.org/show_bug.cgi?id=177>

Our version of rcp.statd in UCS-3.2 still has that bug:
# rpc.statd -V
rpc.statd version 1.2.2

# ps www `pidof rpc.statd`
  PID TTY      STAT   TIME COMMAND
10657 ?        Ss     0:00 /sbin/rpc.statd --port 32765 --outgoing-port 32766

# lsof -p `pidof rpc.statd` | grep UDP
rpc.statd 10657 statd    5u  IPv4              67650      0t0    UDP *:657 
rpc.statd 10657 statd    7u  IPv4              67661      0t0    UDP *:32765
Comment 2 Stefan Gohmann univentionstaff 2017-06-16 20:36:38 CEST 
This issue has been filed against UCS 3. UCS 3 is out of the normal maintenance and many UCS components have vastly changed in UCS 4.

If this issue is still valid, please change the version to a newer UCS version otherwise this issue will be automatically closed in the next weeks.
Comment 3 Philipp Hahn univentionstaff 2017-07-28 15:31:49 CEST 
Our version of nfs-utils is new enough to have the "statd -o" bug fixed:

# dpkg-query -W nfs-common
nfs-common      1:1.2.8-9A~4.2.0.201703011138
# rpc.statd -V
rpc.statd version 1.2.8
# ucr search --brief ^version/
version/erratalevel: 118
version/patchlevel: 1
version/releasename: Lesum
version/version: 4.2

services/univention-nfs/debian/univention-nfs-server.postinst still needs fixing.
This is a security vulnerability as nothing is bound to TCP/UDP port 4660, leaving that open to any internal process taking that port.

Patch:
 sed -e '/4660/d' -i services/univention-nfs/debian/univention-nfs-server.postinst
Comment 4 Philipp Hahn univentionstaff 2017-07-31 13:10:25 CEST 
r81553 | Bug #33254 NFS: Remove old upgrade code
r81552 | Bug #33254 NFS: Remove port 4660 from firewall

Package: univention-nfs
Version: 9.0.0-3A~4.2.0.201707311304
Branch: ucs_4.2-0
Scope: errata4.2-1

r81561 | Bug #32272,Bug #33254,Bug #45101,Bug #25446 NFS. YAML
Comment 5 Jürn Brodersen univentionstaff 2017-07-31 17:31:12 CEST 
What I tested:
ucr variables removed after upgrade -> OK
mount share from master on slave -> read/write -> OK

YAML: OK

-> verified
Comment 6 Arvid Requate univentionstaff 2017-08-09 16:57:15 CEST 
<http://errata.software-univention.de/ucs/4.2/130.html>