[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[linux-security] Re: portmap & tcpwrappers



Mark Bergman wrote on Tue, Dec 15, 1998 at 09:47:00AM -0800:
> 
> I don't know if this is RedHat 5.1 specific, but be aware that the version
> of portmap distributed is the enhanced (Wietse Venema) version. That's
> great, except for two things. The first is documented, but easy to overlook:
> 
> 	"In order to avoid deadlocks, the portmap program does not attempt to look
> 	up the remote host name or user name...The upshot of all this is that only
> 	network number patterns will work for portmap access control."

This is true for all portmap/rpcbind daemons using libwrap.

> I didn't realize that, and boy did I get bitten when I refused connections
> from "unknown" hosts (where DNS doesn't reverse correctly). I was using the
> "same" hosts.allow file I had used elsewhere, but it was a different
> version of portmap.

For portmap//rpcbind/nfs/... you usually want to block everything except
a very small number of local networks, so the typical way of doing this:

	portmap, rpcbind : 123.4.5.0/255.255.255.0 : allow
	portmap, rpcbind : ALL : deny

is also the best.

> The other problem that came up is that everytime a portmap request
> (initiated by mount) was denied, the portmap daemon died.

This usually happens for programs that call libwrap routines without first
forking a subprocess, if you use 'twist=' feature in hosts.allow/deny
files.

Tomasz

-- 
 _________
(_   _' __) Tomasz R. Surmacz,  Work:(071)3202636, tsurmacz @ict.pwr.wroc.pl
  |  (__  \ http://www.ict.pwr.wroc.pl/~tsurmacz/ *-* Home: ts@ wroc,apk,net
  |__(____/   Taming a mail daemon may cause a system security violation.



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]