Ben,
The NFS client services are a lot more locked down in Solaris 10 than
they were in prior versions. This helps to mitigate much of the threats
normally attributed to these services:
blackhole$ pfexec ppriv -S `pgrep statd`
11632: /usr/lib/nfs/statd
flags = PRIV_AWARE
E: net_bindmlp,proc_fork
I: none
P: net_bindmlp,proc_fork
L: none
blackhole$ pfexec ppriv -S `pgrep lockd`
11637: /usr/lib/nfs/lockd
flags = PRIV_AWARE
E: sys_nfs
I: none
P: sys_nfs
L: none
As you can see, they are privilege aware and are configured to have very
few privileges (just as with the RPC port mapper):
blackhole$ pfexec ppriv -S `pgrep rpcbind`
414: /usr/sbin/rpcbind
flags = PRIV_AWARE
E: net_bindmlp,net_privaddr,proc_fork,sys_nfs
I: none
P: net_bindmlp,net_privaddr,proc_fork,sys_nfs
L: none
Also, I believe that statd and lockd are no longer needed if you are
using NFSv4 (only). You still may need things like nfsmapid and
possibly gssd, however.
Beyond that, what was your concern with using IP Filter as a host-based
firewall to restrict access to these services? I would like to get a
better feel for what your concerns are.
Thanks!
g
Ben Rockwood wrote:
> I've posted this question to nfs-disucss with no response, asking with wide
> scope here.
>
> NFS clients will open 2 or more ports, statd and lockd. While rpcbind can be
> set as local_only, these ports are still open and could potentially be
> exploited. For servers on the public internet this is a considerable risk.
>
> What is the appropriate way of securing such a system? I'm not aware of any
> way to restrict these daemons to a single (private) network interface, and I
> don't believe TCP-Wrappers is applicable.
>
> Is there a recommend means of dealing with this other than using a firewall?
>
> benr.
>
>
> This message posted from opensolaris.org
> _______________________________________________
> security-discuss mailing list
> security-discuss at opensolaris.org
--
Glenn Brunette
Distinguished Engineer
Director, GSS Security Office
Sun Microsystems, Inc.
