Re: tcpwrapped rpcbind/portmap?

From: Trevor Fiatal (trevor@seven.com)
Date: 08/21/01 

Message-ID: <3B818B3D.C94C98CB@seven.com>
Date: Mon, 20 Aug 2001 15:12:13 -0700
From: Trevor Fiatal <trevor@seven.com>
To: Casper *** <Casper.***@Sun.COM>
Subject: Re: tcpwrapped rpcbind/portmap?

Casper *** wrote:
>
> Wouldl it be a good idea to have a "safer" rpcbind in Solaris?

Absolutely. The lack of ACL enforcement within the stock Solaris
rpcbind make its use problematic in a security-sensitive environment.

> If so, what would "safer" mean?
> o Not listening to the world at all optionally)
> o No indirect calls (optionally)
> o "wrapped" functionality.
>
> And which would you like best?
>
> In principle, option £2 would do away with most uncertainty about rpcbind
> security.

I'd rather see libwrap-style ACLs first, then as a lesser priority
the ability to disable indirect calls would be nice to have.

Ideally, rpcbind would read a Solaris-standard config file for the
locations of hosts.allow and hosts.deny ACL files. That way I could
continue to stash my hosts.* files where I like to keep them, but
rpcbind would still be able to reference them.

-Trevor 

-- 
Trevor Fiatal -- trevor@seven.com -- http://www.seven.com/
Co-Founder
Seven
510.967.4556 (work/mobile)  
510.401.8054 (vmail/fax)

Quantcast