[518] in linux-announce channel archive
Linux Security FAQ Update#3: rpc.ugidd
daemon@ATHENA.MIT.EDU (Lars Wirzenius)
Fri May 5 13:17:02 1995
Date: Fri, 5 May 1995 17:34:01 +0300
From: Lars Wirzenius <wirzeniu@cc.helsinki.fi>
To: linux-activists@niksula.hut.fi, linux-announce@vger.rutgers.edu
X-Mn-Key: announce
From: "Alexander O. Yuriev" <alex@bach.cis.temple.edu>
Subject: Linux Security FAQ Update#3: rpc.ugidd
Newsgroups: comp.os.linux.announce
Keywords: security, FAQ, rpc.ugidd, networking
Organization: ?
Approved: linux-announce@news.ornl.gov (Lars Wirzenius)
Followup-to: comp.os.linux.networking
References:
NFS uid/gid Map Daemon
LINUX SECURITY FAQ UPDATE
April 6, 19:50 EST
Copyright (C) 1995 Alexander O. Yuriev
CIS Laboratories, TEMPLE UNIVERSITY
<alex@bach.cis.temple.edu>
This update is based on Olaf Kirch's post to linux-security
-----------------------------------------------------------------------------
This is an update to Linux Security FAQ. The FAQ itself is not completely
written yet and currently covers only Slackware Linux distribution. If you
use a different Linux distribution and the location name of some files
differ from the ones used in this update, please drop me a note at at
<alex@bach.cis.temple.edu>.
If you create your own Linux distributions that are being placed on
FTP sites or CDs, please contact me!
Linux FAQ WWW is http://bach.cis.temple.edu/linux/linux-security
-----------------------------------------------------------------------------
rpc.ugidd DAEMON ALLOWS REMOTE SYSTEM TO "brute-force"
NAMES OF ALL USERS AND ALL GROUPS.
********************************************************************
WARNING: THIS IS NOT A LINUX-SPECIFIC PROBLEM
This Linux Security FAQ Update Provides Linux-Specific Solution
********************************************************************
Most of Linux distributions come with rpc.ugidd, the daemon that
implements a protocol that allows a remote client to map UIDs and GIDs
into user and group names. This protocol is not used by Universal
NFS Server starting from version 2.0, though most of Linux
distributions, including Slackware 2.2 come with this daemon.
Neither Slackware 2.1.0 nor Slackware 2.2.0 enable this daemon by
default, but /etc/rc.d/rc.inet2 contains commented out commands to
start this daemon in the section of Sun RPC servers.
The daemon itself is neither dangerous nor useful at the present
time, but it provides a remote site with a simple way of gathering
information about all users on your system simple by looping through
the possible UIDs and GIDs. Some people claim that this is really
hard to implement, but it looks really trivial to me:
for (i = 0; i < 65535; i++)
{
gidtGID = (gid_t) i;
uidtUID = (uid_t) i;
vRPCgetTargetNames(gidtGID,uidT,
pchLoginName,
pchGroupName);
}
(Sorry, could not resist the temptation of typing a couple of C
lines). The most important thing is that this code is so trivial
that every 6th grader is capable to writing it!
SOLUTION:
The solution to this problem is simple: get the PID of the daemon by
using the command:
ps aux | grep ugidd
and kill the running process:
kill -9 <pid>
Now find the file where rpc.ugidd is being started from. This file
is usually /etc/rc.d/rc.inet2. Search for lines that start
with rpc.ugidd and delete them. A lot of people feel that they
should just comment it out, in case that something happens and
they need to return back to the original version. Don't do that. If
you have to have the original version of the file, restore it from
a backup. Sometimes it happens that one forgets why did he or she
comment out a program and removes the comment character. Bingo,
the program now is running again. This is especially true in a case
of systems with several administrators.
SANITY CHECK:
It is simple: shutdown your system to single user mode using
/sbin/init s
This will kill all running processes and take down network
interfaces. Now bring the system back up by typing
mount -a
/sbin/init <your-normal-runlevel>
This brings the network interface up and runs /etc/rc.d/* programs.
Some systems also require swap to be reactivated. Do
ps aux | grep ugidd
There should be no processes listed. If that is not the case then
probably your system starts rpc.ugidd from another file and you will
have to hunt it down. The good way to start is by typing
grep ugidd /etc/rc.d/*
This will go trough all files in the /etc/rc.d directory where most
Linux systems keep startup strips and check for commands that start
ugidd. As usually, just remove it from there.
--
Send submissions for comp.os.linux.announce to: linux-announce@news.ornl.gov
PLEASE remember Keywords: and a short description of the software.
