Unable to bind ietd to specific address and port

Bug #871143 reported by JanCeuleers on 2011-10-09
44
This bug affects 9 people
Affects Status Importance Assigned to Milestone
iscsitarget (Debian)
Fix Released
Unknown
iscsitarget (Ubuntu)
Undecided
Unassigned

Bug Description

It is possible to bind the iscsitarget daemon (ietd) to a specific IP address and port number, but only by using the --address and --port command-line options: there is no way to do so in the configuration file. The /etc/init.d/iscsitarget script should therefore enable the administrator access to these options.

My proposal is to append "-- $IETD_ARGS" to the start-stop-daemon line in ietd_start() (as well as IETD_ARGS= earlier-on), so that it becomes possible to set this variable in /etc/default/iscsitarget.

I have made the above changes locally, but now run the risk that if the /etc/init.d/iscsitarget script is overwritten upon a future upgrade by ietd daemon will revert to its default behaviour, which is to listen on all IP addresses and well-known port 3260. This is a security problem for me, and, I submit, generically.

ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: iscsitarget 1.4.20.2-1ubuntu1
ProcVersionSignature: Ubuntu 2.6.38-8.42-generic 2.6.38.2
Uname: Linux 2.6.38-8-generic x86_64
Architecture: amd64
Date: Sun Oct 9 08:45:49 2011
ProcEnviron:
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: iscsitarget
UpgradeStatus: No upgrade log present (probably fresh install)

JanCeuleers (jan-ceuleers) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find.

security vulnerability: yes → no
security vulnerability: yes → no
visibility: private → public
visibility: private → public
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in iscsitarget (Ubuntu):
status: New → Confirmed
harmscon (harmscon) wrote :

I have the same requirement: only bind a specific address.
I took a very similar approach to resolve:

Add the following to /etc/defaults/iscsitarget:
## ietd options
# --address: bind to specific interface
ISCSITARGET_OPTIONS='--address=10.224.10.1'

Make the following change to function ietd_start() in /etc/init.d/iscsitarget:

< start-stop-daemon --start --quiet --oknodo --exec $DAEMON -- $ISCSITARGET_OPTIONS
---
> start-stop-daemon --start --exec $DAEMON --quiet --oknodo

I hope this helps.

annunaki2k2 (russell-knighton) wrote :

Good solution - simple and effective. I have also needed this in our server environment.

Bump.

Please can we get this added to the next release.

Thanks,

Simon Déziel (sdeziel) wrote :
Changed in iscsitarget (Ubuntu):
status: Confirmed → Fix Released
Changed in iscsitarget (Debian):
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.