[2113] in linux-security and linux-alert archive
[linux-security] portmap & tcpwrappers
daemon@ATHENA.MIT.EDU (Mark Bergman)
Tue Dec 15 04:25:58 1998
Date: Tue, 15 Dec 1998 09:47:00 -0800
To: linux-security@kochab.cv.nrao.edu
From: Mark Bergman <bergman@panix.com>
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com
I don't know if this is RedHat 5.1 specific, but be aware that the version
of portmap distributed is the enhanced (Wietse Venema) version. That's
great, except for two things. The first is documented, but easy to overlook:
"In order to avoid deadlocks, the portmap program does not attempt to look
up the remote host name or user name...The upshot of all this is that only
network number patterns will work for portmap access control."
I didn't realize that, and boy did I get bitten when I refused connections
from "unknown" hosts (where DNS doesn't reverse correctly). I was using the
"same" hosts.allow file I had used elsewhere, but it was a different
version of portmap.
There was a bit of time spent troubleshooting DNS, portmap, mount (the
program that alerted me to the failure), etc., trying to find what the
apparent DNS problem was.
The other problem that came up is that everytime a portmap request
(initiated by mount) was denied, the portmap daemon died.
Mark Bergman
bergman@panix.com
Unix mechanic, biker, stagehand, pet bird owner, rock climber
http://www.panix.com/~bergman
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe:
mail -s unsubscribe linux-security-request@redhat.com < /dev/null
