Re: NFS Over Private Network

From: Brian Parent (bparent_at_calvin.ucsd.edu)
Date: 03/30/04

  • Next message: Casper Dik: "Re: NFS Over Private Network"
    Date: Mon, 29 Mar 2004 17:39:17 -0800
    To: Simon Thornton <simon.thornton@swift.com>
    
    

    It's not just that it is old code, there is at least one security
    vulnerability in Weitse's.

    I too used to use Weitse's portmapper for logging purposes, but
    at some point Sun released a version that included security fixes
    that were not in Weitse's version (and never will, since it isn't
    being maintained anymore). I've since cut over to using Sun's
    version.

    I'm trying to keep a long day from getting longer, so I don't want
    to take the time to dig up the specific problem. If you're interested,
    try looking at Sun's README for the applicable patch (probably somewhere
    around 105216-04, Solaris 2.6).

    Re:
    > Date: Mon, 29 Mar 2004 12:08:09 +0200
    > From: Simon Thornton <simon.thornton@swift.com>
    > Subject: RE: NFS Over Private Network
    > To: "'Erek Adams'" <erek@theadamsfamily.net>
    > Cc: "'Michael Wright'" <cshelp@plu.edu>, focus-sun@securityfocus.com
    >
    > Hi Erek,
    >
    > I can understand the comment about old code but I've never had issues
    > with the version of rpcbind on production systems. Normally I do not
    > allow NFS due to the many security issues associated with it. Sometimes
    > though, it has to be allowed, short of putting in a firewall between the
    > systems, there is little the native OS provides that covers portmap
    > access.
    >
    > As a side feature, the ability to save portmap settings across across
    > sessions is very useful, it saves the need to reconfigure the firewall
    > rules whenever portmap is restarted.
    >
    > I consider it more valuable that access to the portmapper is recorded
    > and/or restricted than relying on the RPC apps to protect themselves.
    > Many canned RPC exploits do not work if they cannot access the
    > portmapper to find the application.
    >
    > As with all changes, you have to test it in your environment and assess
    > the risks associated with replacing the native utility with another.
    > What is acceptable in one place may not be in another.
    >
    > As they say, YMMV :-)
    >
    >
    > Rgds,
    >
    > Simon
    > -----Original Message-----
    > From: Erek Adams [mailto:erek@theadamsfamily.net]
    > Sent: Saturday, March 27, 2004 01:36
    > To: Simon Thornton
    > Cc: 'Michael Wright'; focus-sun@securityfocus.com
    > Subject: RE: NFS Over Private Network
    >
    >
    > On Thu, 25 Mar 2004, Simon Thornton wrote:
    >
    > > At the least I would replace the SUN portmapper with the one from the
    > > TCPwrappers suite. This will allow you to restrict access
    > > (/etc/hosts.allow) on the IP level to portmap and therefore to some
    > > services.
    >
    > [...snip...]
    >
    > Actually, that's not really a good idea. Take a look at this message
    > from
    > Alex Noordergraaf on that subject.
    >
    > --Msg--
    >
    > Date: Thu, 06 Nov 2003 20:01:44 -0500
    > From: Alex Noordergraaf <alex.noordergraaf@sun.com>
    > To: Jonathan Loran <jonloran@yahoo.com>
    > Cc: focus-sun@securityfocus.com
    > Subject: Re: Disabling rpcbind/portmapper
    >
    > Jonathan Loran wrote:
    > >
    > > How about the libwrap version of rpcbind by Wietse Venema? Simple
    > > /etc/hosts.{allow,deny} control.
    >
    > Wietse's version of rcpbind is based on early Solaris code (~2.5) and
    > isn't generally recommended for production use anymore.
    >
    > -Alex
    >
    > --End--
    >
    > Cheers!
    >
    > -----
    > Erek Adams
    > Nifty-Type-Guy
    > TheAdamsFamily.Net
    >


  • Next message: Casper Dik: "Re: NFS Over Private Network"