SUMMARY: secure RPC

From: Frank Cusack (fcusack@voicenet.com)
Date: Tue Dec 02 1997 - 11:18:15 CST


Thanks to Casper Dik (the only respondent) for the following answers:

a)
It's teh only secure portmapper I know off.

Rpcbind does two things: it acts as a nameservice (maps programs,vers ->
port #). The second thimng it does is act as an intermediary for
indirect calls; this is used for broadcast RPC.

It's also the cause of quite a few security holes and many services
should be barred from being called indirectly.

b)
No. While it has a socket in that port range, it doesn't listen on it.
Ephemeral ports start at 32K in Solaris, thats why you see the
high ports.

c)
I should probably use the stock rpcbind. (5.3 is very old).

> I'm curious about the rpcbind that is avail from ftp.win.tue.nl.
>
> a) Obviously, I need to use this to use /etc/hosts.{allow,deny}. Or do I?
> Are other secure portmappers available? I thought all rpcbind did was
> answer requests to map programs to ports, then the client contacts the
> server directly. If I already know the port, why can't I skip using
> rpcbind/portmap altogether? If that's the case, what use is a secure
> portmapper anyway?
>
> b) Does solaris 2.6 rpcbind (105216_01 version) listen on high numbered
> ports also? netstat -a shows:
>
> UDP
> Local Address Remote Address State
> -------------------- -------------------- -------
> *.sunrpc Idle
> *.* Unbound
> *.32771 Idle
> *.talk Idle
> *.32773 Idle
> *.32777 Idle
> *.32778 Idle
> *.32779 Idle
> *.32780 Idle
> *.lockd Idle
> *.syslog Idle
> *.177 Idle
> *.* Unbound
>
> c) Are there other (security or other) problems in the 5.3 based rpcbind
> that are fixed in 5.6 (again, 105216_01)? Are they severe enough that I
> should stick with the stock rpcbind? eg fix for bugid 4032093 (rpcbind can
> only handle 16 IP addresses) is not integrated into the secure rpcbind.
> I'll need that for at least some machines.
>
> I can look through sunsolve and see what patches are available since
> 5.3, but not all of the bug reports are there, so there may not be enough
> detail for me to make a decision.
>
> TIA!
>
> --
> ~frank
> * I am Pentium of Borg. Division is futile. You will be approximated. *
> * PGP ID: C001AA75 -|- fcusack@voicenet.com *
>
>
>

-- 
~frank
* I am Pentium of Borg. Division is futile. You will be approximated. *
*        PGP ID: C001AA75         -|-      fcusack@voicenet.com       *



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:10 CDT