NetBSD Problem Report #37876
From martin@duskware.de Sat Jan 26 08:57:29 2008
Return-Path: <martin@duskware.de>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by narn.NetBSD.org (Postfix) with ESMTP id D3A1C63BA67
for <gnats-bugs@gnats.netbsd.org>; Sat, 26 Jan 2008 08:57:29 +0000 (UTC)
Message-Id: <20080126014404.4F7C963BA67@narn.NetBSD.org>
Date: Sat, 26 Jan 2008 01:44:04 +0000 (UTC)
From: mmondor@pulsar-zone.net
Reply-To: mmondor@pulsar-zone.net
To: netbsd-bugs-owner@NetBSD.org
Subject: rpcbind(8) and related services should be able to bind(2) to a specific interface
X-Send-Pr-Version: www-1.0
>Number: 37876
>Category: bin
>Synopsis: rpcbind(8) and related services should be able to bind(2) to a specific interface
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: open
>Class: change-request
>Submitter-Id: net
>Arrival-Date: Sat Jan 26 09:00:01 +0000 2008
>Last-Modified: Wed Aug 10 09:15:00 +0000 2016
>Originator: Matthew Mondor
>Release: NetBSD 4.0_STABLE, 4.99.42
>Organization:
Pulsar-Zone
>Environment:
>Description:
SunRPC services all seem to bind to all interfaces.
Considering the security issues involved using those services,
it would be ideal if they could be bound to a specific interface
(or various specific ones).
>How-To-Repeat:
>Fix:
>Audit-Trail:
From: David Holland <dholland-bugs@netbsd.org>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: bin/37876: rpcbind(8) and related services should be able to
bind(2) to a specific interface
Date: Mon, 8 Aug 2016 04:37:09 +0000
On Sat, Jan 26, 2008 at 09:00:01AM +0000, mmondor@pulsar-zone.net wrote:
> SunRPC services all seem to bind to all interfaces.
> Considering the security issues involved using those services,
> it would be ideal if they could be bound to a specific interface
> (or various specific ones).
While in general this seems like a good idea, it's a bit more
complicated than just that. AFAICR, traditionally, the portmapper will
forward requests, with the result that any request might appear to
come from any local interface... I'm not sure if our rpcbind does that
(I would hope not) but we ought to try to get some clear answers
before proceeding.
Also, for the record these services are started from inetd so inetd is
in charge of binding:
- rpc.rquotad
- rpc.rstatd
- rpc.rusersd
- rpc.rwalld
- rpc.sprayd
- rpc.pcnfsd
so only these are started from rc.d and would need binding glop:
- rpc.bootparamd
- rpc.lockd
- rpc.statd
- rpc.yppasswdd
- ypserv
Am I forgetting any others? (Besides perhaps the nfs server in the
kernel...)
As a side note, it seems that there isn't any preconfigured way to run
pcnfsd at all; on the other hand, pcnfsd is pretty useless nowadays.
For that matter, rstatd, rusersd, rwalld, sprayd, and yppasswdd are
all pretty useless nowadays too.
--
David A. Holland
dholland@netbsd.org
From: Matthew Mondor <mm_lists@pulsar-zone.net>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: bin/37876: rpcbind(8) and related services should be able to
bind(2) to a specific interface
Date: Wed, 10 Aug 2016 05:10:46 -0400
On Mon, 8 Aug 2016 04:40:01 +0000 (UTC)
David Holland <dholland-bugs@netbsd.org> wrote:
> The following reply was made to PR bin/37876; it has been noted by
> GNATS.
>
> From: David Holland <dholland-bugs@netbsd.org>
> To: gnats-bugs@NetBSD.org
> Cc:
> Subject: Re: bin/37876: rpcbind(8) and related services should be
> able to bind(2) to a specific interface
> Date: Mon, 8 Aug 2016 04:37:09 +0000
>
> On Sat, Jan 26, 2008 at 09:00:01AM +0000, mmondor@pulsar-zone.net
> wrote:
> > SunRPC services all seem to bind to all interfaces.
> > Considering the security issues involved using those services,
> > it would be ideal if they could be bound to a specific interface
> > (or various specific ones).
>
> While in general this seems like a good idea, it's a bit more
> complicated than just that. AFAICR, traditionally, the portmapper
> will forward requests, with the result that any request might appear
> to come from any local interface... I'm not sure if our rpcbind does
> that (I would hope not) but we ought to try to get some clear answers
> before proceeding.
I don't remember much about the sunrpc protocol (what I mostly remember
is the portable xdr binary serialization part), so I also can't answer
this without some reading.
> Also, for the record these services are started from inetd so inetd
> is in charge of binding:
> - rpc.rquotad
> - rpc.rstatd
> - rpc.rusersd
> - rpc.rwalld
> - rpc.sprayd
> - rpc.pcnfsd
I personally never used any of these
> so only these are started from rc.d and would need binding glop:
> - rpc.bootparamd
> - rpc.lockd
> - rpc.statd
> - rpc.yppasswdd
> - ypserv
>
> For that matter, rstatd, rusersd, rwalld, sprayd, and yppasswdd are
> all pretty useless nowadays too.
The only three I use are mountd (exports the available file systems),
lockd (allows advisory locking over NFS) and statd, other than of
course rpcbind and nfsd, and it's possible that statd is no longer
necessary, I'm not sure. The rpc.statd(8) manual page appears to
suggest that lockd uses its monitoring features.
--
Matt
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.