RE: tcpwrapped rpcbind/portmap?

From: Geoff Collis (geoff@andale.com)
Date: 08/21/01 

Message-ID: <EC5DB45B78F8D311A12500500488E66107E68FA2@mail.vendorhub.com>
From: Geoff Collis <geoff@andale.com>
To: "'Casper ***'" <Casper.***@Sun.COM>, "'focus-sun@securityfocus.com'" <focus-sun@securityfocus.com>
Subject: RE: tcpwrapped rpcbind/portmap? 
Date: Tue, 21 Aug 2001 10:34:15 -0700

Regardless of the merits or otherwise I need to rpcbind to support the
reading/writing files stored on a NetApp NFS file server. There may be
better alternatives, but these are not going to work with the hardware we
have.

On Solaris 2.6 and 7 I would handle this scenario by installing ipfilter, to
restrict access to the local subnet, and use the tcp-wrapped version of
rpcbind to make sure RPC will only work with hosts on the local subnet.
Mistakes happen so I prefer to have two level of *access restriction* rather
than rely totally on the ipfilter rules. :-)

I do not have any intention of running NIS or NIS+.

So I would like to have tcp-wrapped versions of rpcbind/portmap for Solaris
8, but I have to confess I do not know the internal details of RPC, so there
may be better alternative solutions.

- Geoff

-----Original Message-----
From: Casper *** [mailto:Casper.***@Sun.COM]
Sent: Saturday, August 18, 2001 2:23 PM
To: Geoff Collis
Cc: 'Reg Quinton'; 'focus-sun@securityfocus.com'
Subject: Re: tcpwrapped rpcbind/portmap?

He,, we were all at Usenix security in Washington !

File locking does require RPCbind on the client, but I suppose you
could be fine without it.

Wouldl it be a good idea to have a "safer" rpcbind in Solaris?

If so, what would "safer" mean?
        o Not listening to the world at all optionally)
        o No indirect calls (optionally)
        o "wrapped" functionality.

And which would you like best?

In principle, option £2 would do away with most uncertainty about rpcbind
security.

Casper