Amanda-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: "port xxx not secure" errors

2007-04-29 20:41:25
Subject: Re: "port xxx not secure" errors
From: Jean-Louis Martineau <martineau AT zmanda DOT com>
To: Charles Sprickman <spork AT bway DOT net>
Date: Sun, 29 Apr 2007 20:36:16 -0400 
The dumper must be installed suid root.
What's in the dumper.<timestamps>.debug file?

Jean-Louis

Charles Sprickman wrote:

Any ideas on this one?  Should I just consider it a bug?
I'm not clear at all on why the server is picking a port over 1024, but that does seem to be clearly happening, and then the client is rejecting it (which does seem to be by design). FWIW, I *cannot* reproduce it when firing off one host at a time - only during an actual full run where all hosts are backed up. Perhaps it's trying to do too much in parallel? The server box is not doing anything odd that would eat up priv ports. Additionally the problem did not exist in the old version of amanda we used. 

Thanks,

Charles

On Wed, 25 Apr 2007, Charles Sprickman wrote:


Hi all,

This is my last problem for the time being...

Server side reports this (amdump.1):
driver: result time 2126.498 from dumper2: TRY-AGAIN 02-00009 "NAK: host h-74-0-x-28.phlapafg.covad.net: port 1026 not secure" 

The IP address there is the amanda server.

Client side reports this (amandad.debug):

security_handleinit(handle=0x8052000, driver=0x28094900 (BSDTCP))
security_streaminit(stream=0x8058000, driver=0x28094900 (BSDTCP))
security_seterror(handle=0x8052000, driver=0x28094900 (BSDTCP) error=host h-74-0-x-28.phlapafg.covad.net: port 1026 not secure) amandad: time 0.002: accept error: host h-74-0-x-28.phlapafg.covad.net: port 1026 not secure 
amandad: time 0.002: sending NAK pkt:
<<<<<
ERROR host h-74-0-x-28.phlapafg.covad.net: port 1026 not secure
If I'm reading this right, the client is listening via inetd, it accepts a connection FROM the server, but it does not like that the server is connecting to it from a port above 1024. 

The check appears to be in common-src/security-util.c:

       /*
        * Request packets must come from a reserved port
        */
       if (ntohs(rh->peer.sin_port) >= IPPORT_RESERVED) {
           security_seterror(&rh->sech,
               "host %s: port %d not secure", rh->hostname,
               ntohs(rh->peer.sin_port));
           amfree(service);
           amfree(security_line);
           return (-1);
       }
But that doesn't tell me much about what controls what port the server decides to bind to when contacting the client.
I saw a FAQ entry about this error when running amcheck without the suid root bit, but this happens during amdump and amcheck. It seems fairly random. 

Any ideas?

Thanks,

Charles
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: "port xxx not secure" errors, Charles Sprickman
Next by Date:  Re: "port xxx not secure" errors, Charles Sprickman
Previous by Thread:  Re: "port xxx not secure" errors, Charles Sprickman
Next by Thread:  Re: "port xxx not secure" errors, Charles Sprickman
Indexes:  [Date] [Thread] [Top] [All Lists]