NetBSD Problem Report #37876

From martin@duskware.de  Sat Jan 26 08:57:29 2008
Return-Path: <martin@duskware.de>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by narn.NetBSD.org (Postfix) with ESMTP id D3A1C63BA67
	for <gnats-bugs@gnats.netbsd.org>; Sat, 26 Jan 2008 08:57:29 +0000 (UTC)
Message-Id: <20080126014404.4F7C963BA67@narn.NetBSD.org>
Date: Sat, 26 Jan 2008 01:44:04 +0000 (UTC)
From: mmondor@pulsar-zone.net
Reply-To: mmondor@pulsar-zone.net
To: netbsd-bugs-owner@NetBSD.org
Subject: rpcbind(8) and related services should be able to bind(2) to a specific interface
X-Send-Pr-Version: www-1.0

>Number:         37876
>Category:       bin
>Synopsis:       rpcbind(8) and related services should be able to bind(2) to a specific interface
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Sat Jan 26 09:00:01 +0000 2008
>Last-Modified:  Wed Aug 10 09:15:00 +0000 2016
>Originator:     Matthew Mondor
>Release:        NetBSD 4.0_STABLE, 4.99.42
>Organization:
Pulsar-Zone
>Environment:
>Description:
SunRPC services all seem to bind to all interfaces.
Considering the security issues involved using those services,
it would be ideal if they could be bound to a specific interface
(or various specific ones).
>How-To-Repeat:

>Fix:

>Audit-Trail:
From: David Holland <dholland-bugs@netbsd.org>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: bin/37876: rpcbind(8) and related services should be able to
 bind(2) to a specific interface
Date: Mon, 8 Aug 2016 04:37:09 +0000

 On Sat, Jan 26, 2008 at 09:00:01AM +0000, mmondor@pulsar-zone.net wrote:
  > SunRPC services all seem to bind to all interfaces.
  > Considering the security issues involved using those services,
  > it would be ideal if they could be bound to a specific interface
  > (or various specific ones).

 While in general this seems like a good idea, it's a bit more
 complicated than just that. AFAICR, traditionally, the portmapper will
 forward requests, with the result that any request might appear to
 come from any local interface... I'm not sure if our rpcbind does that
 (I would hope not) but we ought to try to get some clear answers
 before proceeding.

 Also, for the record these services are started from inetd so inetd is
 in charge of binding:
    - rpc.rquotad
    - rpc.rstatd
    - rpc.rusersd
    - rpc.rwalld
    - rpc.sprayd
    - rpc.pcnfsd

 so only these are started from rc.d and would need binding glop:
    - rpc.bootparamd
    - rpc.lockd
    - rpc.statd
    - rpc.yppasswdd
    - ypserv

 Am I forgetting any others? (Besides perhaps the nfs server in the
 kernel...)

 As a side note, it seems that there isn't any preconfigured way to run
 pcnfsd at all; on the other hand, pcnfsd is pretty useless nowadays.

 For that matter, rstatd, rusersd, rwalld, sprayd, and yppasswdd are
 all pretty useless nowadays too.

 -- 
 David A. Holland
 dholland@netbsd.org

From: Matthew Mondor <mm_lists@pulsar-zone.net>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: bin/37876: rpcbind(8) and related services should be able to
 bind(2) to a specific interface
Date: Wed, 10 Aug 2016 05:10:46 -0400

 On Mon,  8 Aug 2016 04:40:01 +0000 (UTC)
 David Holland <dholland-bugs@netbsd.org> wrote:

 > The following reply was made to PR bin/37876; it has been noted by
 > GNATS.
 > 
 > From: David Holland <dholland-bugs@netbsd.org>
 > To: gnats-bugs@NetBSD.org
 > Cc: 
 > Subject: Re: bin/37876: rpcbind(8) and related services should be
 > able to bind(2) to a specific interface
 > Date: Mon, 8 Aug 2016 04:37:09 +0000
 > 
 >  On Sat, Jan 26, 2008 at 09:00:01AM +0000, mmondor@pulsar-zone.net
 > wrote:
 >   > SunRPC services all seem to bind to all interfaces.
 >   > Considering the security issues involved using those services,
 >   > it would be ideal if they could be bound to a specific interface
 >   > (or various specific ones).  
 >  
 >  While in general this seems like a good idea, it's a bit more
 >  complicated than just that. AFAICR, traditionally, the portmapper
 > will forward requests, with the result that any request might appear
 > to come from any local interface... I'm not sure if our rpcbind does
 > that (I would hope not) but we ought to try to get some clear answers
 >  before proceeding.

 I don't remember much about the sunrpc protocol (what I mostly remember
 is the portable xdr binary serialization part), so I also can't answer
 this without some reading.

 >  Also, for the record these services are started from inetd so inetd
 > is in charge of binding:
 >     - rpc.rquotad
 >     - rpc.rstatd
 >     - rpc.rusersd
 >     - rpc.rwalld
 >     - rpc.sprayd
 >     - rpc.pcnfsd

 I personally never used any of these

 >  so only these are started from rc.d and would need binding glop:
 >     - rpc.bootparamd
 >     - rpc.lockd
 >     - rpc.statd
 >     - rpc.yppasswdd
 >     - ypserv
 >
 >  For that matter, rstatd, rusersd, rwalld, sprayd, and yppasswdd are
 >  all pretty useless nowadays too.

 The only three I use are mountd (exports the available file systems),
 lockd (allows advisory locking over NFS) and statd, other than of
 course rpcbind and nfsd, and it's possible that statd is no longer
 necessary, I'm not sure.  The rpc.statd(8) manual page appears to
 suggest that lockd uses its monitoring features.

 -- 
 Matt

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.