Discussion:
[H390-MVS] tk4- FTPD - "Can't Listen error 13, is FTP already running on Port 21?"
Mike Stramba mikestramba@gmail.com [H390-MVS]
2018-07-09 18:54:14 UTC
Permalink
I'm trying to start FTPD on the current tk4-

S FTPD

The job log is showing :

Can't Listen error 13, is FTP already running on Port 21?

This on Ubuntu 14.04 LTS

I DON'T have FTPD running "natively".

A "netstat -l" shows nothing listening on port 21

Mike
winkelmann@id.ethz.ch [H390-MVS]
2018-07-11 08:26:05 UTC
Permalink
Hi Mike


the reason most probably is, that Hercules isn't running root, which prevents it from listening at port 21: Under Linux all ports below 1024 are considered being privileged and only root processes are allowed to listen on those ports.


Of course, Hercules should not run as root. So, the simple solution is to use another port, by means of the SRVPORT parameter of the FTPD started task. For example


S FTPD,SRVPORT=2121


starts the FTP daemon, listening at port 2121.


Cheers
JÃŒrgen

---In H390-***@yahoogroups.com, <***@...> wrote :

I'm trying to start FTPD on the current tk4-

S FTPD

The job log is showing :

Can't Listen error 13, is FTP already running on Port 21?

This on Ubuntu 14.04 LTS

I DON'T have FTPD running "natively".

A "netstat -l" shows nothing listening on port 21

Mike
'\'Fish\' (David B. Trout)' david.b.trout@gmail.com [H390-MVS]
2018-07-11 13:12:36 UTC
Permalink
JÃŒrgen Winkelmann wrote:

[...]
Post by ***@id.ethz.ch [H390-MVS]
Of course, Hercules should not run as root.
Is that really true though JÃŒrgen? I mean, *technically*, yes, you are correct: Hercules should not RUN as ROOT. (And by "run" I mean REMAIN running.)

But the way Hercules is written, it should be okay to *start* it with root privileges since, when built with "capabilities" (http://man7.org/linux/man-pages/man7/capabilities.7.html), which I believe is the default, it DROPS all root privileges except for CAP_SYS_NICE (so that it can set the priorities of its internal threads).

Thus, even though it was *started* as root, it's not really "running" as root. It only re-acquires root privileges for the split second it needs them in order to set thread priorities and then immediately relinquishes them again. So 99.99% of the time, even when started as root, it runs as a regular user.

Of course, I am *NOT* -- repeat: *NOT* -- a Linux person. I have very little experience with, and knowledge of, Linux (or Unix, etc), so I could very well be very wrong.

But looking at the source code that's what I'm seeing. <shrug>
--
"Fish" (David B. Trout)
Software Development Laboratories
http://www.softdevlabs.com
mail: ***@softdevlabs.com
winkelmann@id.ethz.ch [H390-MVS]
2018-07-11 15:30:46 UTC
Permalink
[...]
Post by ***@id.ethz.ch [H390-MVS]
Of course, Hercules should not run as root.
Hercules should not RUN as ROOT. (And by "run" I mean REMAIN running.)
But the way Hercules is written, it should be okay to *start* it with root privileges
since, when built with "capabilities" (http://man7.org/linux/man-pages/man7/capabilities.7.html) http://man7.org/linux/man-pages/man7/capabilities.7.html),
which I believe is the default, it DROPS all root privileges except for CAP_SYS_NICE (so that
it can set the priorities of its internal threads).
Thus, even though it was *started* as root, it's not really "running" as root.
It only re-acquires root privileges for the split second it needs them in order
to set thread priorities and then immediately relinquishes them again. So 99.99%
of the time, even when started as root, it runs as a regular user.
In principle you are right, Fish, however: We're talking X'75' on TK4- Hercules here. I'm not sure, when exactly that privilege dropping was introduced, but I'm relatively sure it is not in TK4- Hercules (but may be wrong on this). But even if it was: I'm not exactly sure whether I would even _want_ Hercules to be able to acquire well known ports of its host, which is, what X'75' does. As you probably know, X'75' hooks up on the host's IP stack, it doesn't maintain an isolated IP stack for the guest.


Cheers
JÃŒrgen


mailto:***@...
Ivan Warren ivan@vmfacility.fr [H390-MVS]
2018-07-11 15:42:11 UTC
Permalink
Post by ***@id.ethz.ch [H390-MVS]
Post by '\'Fish\' (David B. Trout)' ***@gmail.com [H390-MVS]
of the time, even when started as root, it runs as a regular user.
In principle you are right, Fish, however: We're talking X'75' on TK4-
Hercules here. I'm not sure, when exactly that privilege dropping was
introduced, but I'm relatively sure it is not in TK4- Hercules (but
may be wrong on this). But even if it was: I'm not exactly sure
whether I would even _want_ Hercules to be able to acquire well known
ports of its host, which is, what X'75' does. As you probably know,
X'75' hooks up on the host's IP stack, it doesn't maintain an isolated
IP stack for the guest.
JÃŒrgen,

But that's the point.. if hercules itself cannot bind to port <1024
(because the process is lacking CAP_NET_BIND_SERVICE capability) , DIAG
X'75' will fail when trying to bind to a port < 1024  (diag x'75' is
only a passthrough to the socket API) regardless of the guest OS.

--Ivan
winkelmann@id.ethz.ch [H390-MVS]
2018-07-11 15:52:33 UTC
Permalink
Hi Ivan


exactly my saying: I _don't_ want it to be able to listen at well known ports of its host, regardless whether this is achieved through not being root, or lacking the required capability. At least, it should not be able to do this without a conscious decision of the user to allow this.


Remember, the OP asked, why FTPD was _not_ able to listen at port 21. And my answer was, "because Hercules isn't able to".



Cheers
JÃŒrgen
Post by '\'Fish\' (David B. Trout)' ***@gmail.com [H390-MVS]
of the time, even when started as root, it runs as a regular user.
In principle you are right, Fish, however: We're talking X'75' on TK4- Hercules here. I'm not sure, when exactly that privilege dropping was introduced, but I'm relatively sure it is not in TK4- Hercules (but may be wrong on this). But even if it was: I'm not exactly sure whether I would even _want_ Hercules to be able to acquire well known ports of its host, which is, what X'75' does. As you probably know, X'75' hooks up on the host's IP stack, it doesn't maintain an isolated IP stack for the guest.




JÃŒrgen,

But that's the point.. if hercules itself cannot bind to port <1024 (because the process is lacking CAP_NET_BIND_SERVICE capability) , DIAG X'75' will fail when trying to bind to a port < 1024 (diag x'75' is only a passthrough to the socket API) regardless of the guest OS.

--Ivan
Ivan Warren ivan@vmfacility.fr [H390-MVS]
2018-07-11 15:58:57 UTC
Permalink
Post by ***@id.ethz.ch [H390-MVS]
Hi Ivan
exactly my saying: I _don't_ want it to be able to listen at well
known ports of its host, regardless whether this is achieved through
not being root, or lacking the required capability. At least, it
should not be able to do this without a conscious decision of the user
to allow this.
Remember, the OP asked, why FTPD was _not_ able to listen at port 21..
And my answer was, "because Hercules isn't able to".
JÃŒrgen,

You are right !

But I always thought myself that DIAG 75 is flawed to start with (it
makes DIAG non privileged, has no configuration statement, break any and
all virtualization principle)... It's just a makeshift solution...

Only my take, not everyone think the same.

--Ivan
winkelmann@id.ethz.ch [H390-MVS]
2018-07-11 16:13:43 UTC
Permalink
Hi Ivan


I'm also not a fan of the DIAG implementation of X'75'. And that's why I'm using Jason's original implementation as a non privileged instruction of its own for TK4- Hercules. So, at least, it doesn't flaw DIAG.


Otherwise, I'm completely with you: It doesn't only break all virtualization rules, even in native MVS operations it requires users to play nice, or else beware ;-). But nonetheless: It's currently the only way to bring IP connectivity to MVS 3.8, and given the vast majority of MVS 3.8 systems are in fact single user systems, it's simply good enough for the time being (or, if you so wish, it's _not_ bad enough to require the implementation of a full blown IP stack on MVS 3.8 ;-)).


Cheers
JÃŒrgen


---In H390-***@yahoogroups.com, <***@...> wrote :




Le 7/11/2018 à 5:52 PM, ***@... mailto:***@... [H390-MVS] a écrit :

Hi Ivan


exactly my saying: I _don't_ want it to be able to listen at well known ports of its host, regardless whether this is achieved through not being root, or lacking the required capability. At least, it should not be able to do this without a conscious decision of the user to allow this.


Remember, the OP asked, why FTPD was _not_ able to listen at port 21. And my answer was, "because Hercules isn't able to".




JÃŒrgen,

You are right !

But I always thought myself that DIAG 75 is flawed to start with (it makes DIAG non privileged, has no configuration statement, break any and all virtualization principle)... It's just a makeshift solution...

Only my take, not everyone think the same.

--Ivan
'\'Fish\' (David B. Trout)' david.b.trout@gmail.com [H390-MVS]
2018-07-11 18:35:47 UTC
Permalink
JÃŒrgen Winkelmann wrote:

[...]
Post by ***@id.ethz.ch [H390-MVS]
however: We're talking X'75' on TK4- Hercules here.
(Doh!) Of course. I forgot about that. Sorry.
Post by ***@id.ethz.ch [H390-MVS]
I'm not sure, when exactly that privilege dropping was
introduced, but I'm relatively sure it is not in TK4- Hercules
I suspect you're right.


--
"Fish" (David B. Trout)
Software Development Laboratories
http://www.softdevlabs.com
mail: ***@softdevlabs.com
Mike Stramba mikestramba@gmail.com [H390-MVS]
2018-07-11 22:14:18 UTC
Permalink
JÃŒrgen,

Thanks, the S FTPD,SRVPORT=2121 got it working.

Are the FTPD params documented anywhere ? I looked in the user
manual and through SYS2.HELP, (only found FTPDRAC in SYS2.HELP).

Mike
Post by ***@id.ethz.ch [H390-MVS]
Hi Mike
the reason most probably is, that Hercules isn't running root, which
prevents it from listening at port 21: Under Linux all ports below 1024 are
considered being privileged and only root processes are allowed to listen on
those ports.
Of course, Hercules should not run as root. So, the simple solution is to
use another port, by means of the SRVPORT parameter of the FTPD started
task. For example
S FTPD,SRVPORT=2121
starts the FTP daemon, listening at port 2121.
Cheers
JÃŒrgen
I'm trying to start FTPD on the current tk4-
S FTPD
Can't Listen error 13, is FTP already running on Port 21?
This on Ubuntu 14.04 LTS
I DON'T have FTPD running "natively".
A "netstat -l" shows nothing listening on port 21
Mike
winkelmann@id.ethz.ch [H390-MVS]
2018-07-12 05:55:14 UTC
Permalink
Hi Mike


The parameters of the FTPD procedure are described in HELP member TCPIP. The FTPD-RAC HELP member describes only the specific requirements of the FTPD version with RAKF support, which isn't the default version in TK4-.



Cheers
JÃŒrgen

---In H390-***@yahoogroups.com, <***@...> wrote :


JÃŒrgen,

Thanks, the S FTPD,SRVPORT=2121 got it working.

Are the FTPD params documented anywhere ? I looked in the user
manual and through SYS2.HELP, (only found FTPDRAC in SYS2.HELP).

Mike
Post by ***@id.ethz.ch [H390-MVS]
Hi Mike
the reason most probably is, that Hercules isn't running root, which
prevents it from listening at port 21: Under Linux all ports below 1024 are
considered being privileged and only root processes are allowed to listen on
those ports.
Of course, Hercules should not run as root. So, the simple solution is to
use another port, by means of the SRVPORT parameter of the FTPD started
task. For example
S FTPD,SRVPORT=2121
starts the FTP daemon, listening at port 2121.
Cheers
JÃŒrgen
I'm trying to start FTPD on the current tk4-
S FTPD
Can't Listen error 13, is FTP already running on Port 21?
This on Ubuntu 14.04 LTS
I DON'T have FTPD running "natively".
A "netstat -l" shows nothing listening on port 21
Mike
Mike Stramba mikestramba@gmail.com [H390-MVS]
2018-07-12 06:56:19 UTC
Permalink
Thanks Jurgen.

Mike
Post by ***@id.ethz.ch [H390-MVS]
Hi Mike
The parameters of the FTPD procedure are described in HELP member TCPIP.
The FTPD-RAC HELP member describes only the specific requirements of the
FTPD version with RAKF support, which isn't the default version in TK4-.
Cheers
JÃŒrgen
JÃŒrgen,
Thanks, the S FTPD,SRVPORT=2121 got it working.
Are the FTPD params documented anywhere ? I looked in the user
manual and through SYS2.HELP, (only found FTPDRAC in SYS2.HELP).
Mike
Post by ***@id.ethz.ch [H390-MVS]
Hi Mike
the reason most probably is, that Hercules isn't running root, which
prevents it from listening at port 21: Under Linux all ports below 1024
are
Post by ***@id.ethz.ch [H390-MVS]
considered being privileged and only root processes are allowed to listen
on
Post by ***@id.ethz.ch [H390-MVS]
those ports.
Of course, Hercules should not run as root. So, the simple solution is
to
Post by ***@id.ethz.ch [H390-MVS]
use another port, by means of the SRVPORT parameter of the FTPD started
task. For example
S FTPD,SRVPORT=2121
starts the FTP daemon, listening at port 2121.
Cheers
JÃŒrgen
I'm trying to start FTPD on the current tk4-
S FTPD
Can't Listen error 13, is FTP already running on Port 21?
This on Ubuntu 14.04 LTS
I DON'T have FTPD running "natively".
A "netstat -l" shows nothing listening on port 21
Mike
Loading...