[2114] in linux-security and linux-alert archive
[linux-security] Re: portmap & tcpwrappers
daemon@ATHENA.MIT.EDU (Tomasz R. Surmacz)
Fri Dec 18 04:12:05 1998
Date: Wed, 16 Dec 1998 02:32:47 +0100
From: "Tomasz R. Surmacz" <ts@wroc.apk.net>
In-reply-to: <3.0.5.32.19981215094700.007d3c20@popserver.panix.com>; from Mark
Bergman on Tue, Dec 15, 1998 at 09:47:00AM -0800
To: linux-security@redhat.com
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com
Mark Bergman wrote on Tue, Dec 15, 1998 at 09:47:00AM -0800:
>
> I don't know if this is RedHat 5.1 specific, but be aware that the version
> of portmap distributed is the enhanced (Wietse Venema) version. That's
> great, except for two things. The first is documented, but easy to overlook:
>
> "In order to avoid deadlocks, the portmap program does not attempt to look
> up the remote host name or user name...The upshot of all this is that only
> network number patterns will work for portmap access control."
This is true for all portmap/rpcbind daemons using libwrap.
> I didn't realize that, and boy did I get bitten when I refused connections
> from "unknown" hosts (where DNS doesn't reverse correctly). I was using the
> "same" hosts.allow file I had used elsewhere, but it was a different
> version of portmap.
For portmap//rpcbind/nfs/... you usually want to block everything except
a very small number of local networks, so the typical way of doing this:
portmap, rpcbind : 123.4.5.0/255.255.255.0 : allow
portmap, rpcbind : ALL : deny
is also the best.
> The other problem that came up is that everytime a portmap request
> (initiated by mount) was denied, the portmap daemon died.
This usually happens for programs that call libwrap routines without first
forking a subprocess, if you use 'twist=' feature in hosts.allow/deny
files.
Tomasz
--
_________
(_ _' __) Tomasz R. Surmacz, Work:(071)3202636, tsurmacz @ict.pwr.wroc.pl
| (__ \ http://www.ict.pwr.wroc.pl/~tsurmacz/ *-* Home: ts@ wroc,apk,net
|__(____/ Taming a mail daemon may cause a system security violation.
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe:
mail -s unsubscribe linux-security-request@redhat.com < /dev/null
