Am 11.06.2007 23:17, Scott Rotondo schrieb:
>> nmap -A checks amongst other things also the service behind it if a port
>> appears to be open. Otherwise you wouldn't get the prog# of RPC services
>> and the version of SSH used ;-)
>
> Sorry, I didn't look closely enough at your nmap output. My point was
> that we would expect nmap to show that rpcbind is listening, even if
> config/local_only is set to true.
>
>>
>>> but rpcinfo from a remote system should look like this:
>>>
>>> $ rpcinfo -p remotehost
>>> rpcinfo: can't contact portmapper: RPC: Authentication error; why =
>>> Failed (unspecified error)
>>
>> Well, yes, this is what I would have expected.
>>
>> Which system?
>
> I produced the output above with a server running Nevada build 62.
> Should be the same for any post-SBD system.
Thanks for the confirmation, it was only that the "magic" I experienced
made me somewhat skeptical.
>>> Since your system is responding to remote rpcinfo requests, it appears
>>> that config/local_only is set to false. This may have occurred as a side
>>> effect of enabling other services that require rpcbind. For example,
>>> mounting or exporting an NFS file system would have this effect.
>>
>> That's my point. It didn't set that manually, at least not that I am
>> aware of.
>>
>> One script during my post installation could have used the box as an NFS
>> client though, if this is what you meant by side effect.
>>
>> But a) system configurations should not change on the fly w/ the admin's
>> knowledge b) NFS *clients* should not need a portmapper which is
>> accessible from remote.
>
> I see your point. However, the principle we followed for Secure by
> Default was to ensure that network ports were not opened without
> *action* from the administrator, though action does not necessarily
> imply *knowledge*. In other words, you had to take explicit action to
> cause the NFS mount, but you might not have known that it would enable
> rpcbind as a side effect.
>
> Even an NFS client requires lockd and statd in order to implement
> correct file locking semantics, and that's why rpcbind is needed.
Thanks, yes, a while after sending the e-mail I realized that, too. :-)
But the situtation is still kind of awkward: Now I still have the
portmapper accessible, and for sure lockd/statd doesn't run now.
(Can't tell whether it ran before, if not, the logic you're telling
is not comprehensible to me). I know that there might be another
explanation, but what counts is that the level of security was/is reduced.
An important other thing: In this scenario the portmapper doesn't syslog
*anything* (info priority) which is not what a security conscious person
wants. This should be changed IMO...
Cheers,
Dirk
--
Dirk Wetter @ Dr. Wetter IT Consulting http://drwetter.org
Beratung IT-Sicherheit + Open Source
Key fingerprint = 2AD6 BE0F 9863 C82D 21B3 64E5 C967 34D8 11B7 C62F
-
Found core file older than 7 days: /usr/share/man/man5/core.5.gz
