Issue #9544 has been updated by Usaku NAKAMURA. Backport changed from 2.0.0: REQUIRED, 2.1: DONE to 2.0.0: DONE, 2.1: DONE backported into `ruby_2_0_0` at r47335. ---------------------------------------- Bug #9544: Ruby resolver not using autoport https://bugs.ruby-lang.org/issues/9544#change-48584 * Author: Jakub Szafranski * Status: Closed * Priority: Normal * Assignee: * Category: core * Target version: current: 2.2.0 * ruby -v: ruby 2.1.0p0 (2013-12-25 revision 44422) [x86_64-freebsd9.1] * Backport: 2.0.0: DONE, 2.1: DONE ---------------------------------------- ### Problem On one of my production servers I've noticed that customers were failing to install anything using gem and the latest ruby. After a bit of debugging we've found out, that it's related to ruby resolve module: <pre> > p Resolv.getaddress "google.com" Errno::EPERM: Operation not permitted - bind(2) for "0.0.0.0" port 62374 from /home/pudlobe/.rvm/rubies/ruby-2.1.0/lib/ruby/2.1.0/resolv.rb:654:in `bind' from /home/pudlobe/.rvm/rubies/ruby-2.1.0/lib/ruby/2.1.0/resolv.rb:654:in `bind_random_port' from /home/pudlobe/.rvm/rubies/ruby-2.1.0/lib/ruby/2.1.0/resolv.rb:747:in `block in initialize' from /home/pudlobe/.rvm/rubies/ruby-2.1.0/lib/ruby/2.1.0/resolv.rb:735:in `each' ... </pre> The interesting part is _bind_random_port_ function. What for? The standard way of binding to a random port for udp connection is to use port 0. And on that particular machine it fails because it's using a mac_portacl module to filter which user can bind to what ports. **However, port 0 is excepted from this rule, because it's the AUTOPORT** - practically every system that allows such port filtering also allows to set an exception for the autoport. ### Docs <pre> Purpose: Port 0 is officially a reserved port in TCP/IP networking, meaning that it should not be used for any TCP or UDP network communications. However, port 0 sometimes takes on a special meaning in network programming, particularly Unix socket programming. In that environment, port 0 is a programming technique for specifying system-allocated (dynamic) ports. Description: Configuring a new socket connection requires assigning a TCP or UDP port number. Instead of hard-coding a particular port number, or writing code that searches for an available port on the local system, network programmers can instead specify port 0 as a connection parameter. That triggers the operating system to automatically search for and return the next available port in the dynamic port number range.</pre> ### Impact This bug affects every system that has a restricted port-binding policy, making ruby unavailable for security-freak admins ;) ### Suggested fix: Either use port 0 to bind to the port, or at least make an option for the system admin/end user to specify the port by himself.
on 2014-08-31 09:23