Re: [PATCH 0/2] Make libtirpc work with old style portmapper

[Olaf Kirch <okir@suse.de>]

On Monday 30 August 2010 17:59:18 Chuck Lever wrote:
> I worried at the time that this might introduce a security weakness, since,
>  after all, the rpcbind SET operation goes over AF_UNIX, which is
>  authenticated, but pmap uses sockets with privileged ports to detect
>  authorized users.  I see that your logic uses the pmap SET/UNSET calls by
>  default. This bypasses AF_UNIX completely in pretty much all local cases,

That is admittedly a problem, at least for services not running as root.
For services running as root, there's no change in behavior when talking
to rpcbind - the registration will be owned by the superuser in both
cases, because instead of checking the AF_LOCAL credentials for uid 0 it
will check for a privileged source port. I agree though, that this part of
the patch doesn't leave me totally at ease.

>  which changes the behavior of rpcb_set() and rpcb_unset(), and could break
>  the local rpcbind security model.  It might be better to use
>  pmap_setunset() only when local_rpcb() fails.

If it helps, I could do the old PMAP calls as a fallback rather than
trying these by default, agreed. Let me see what I can come up with
tomorrow.

> Another minor problem I think I remember is that if libtirpc is used on a
>  system (perhaps because it is statically linked with said ISV RPC-enabled
>  application) that does not have /etc/netconfig installed, the transport
>  creation logic in rpcb_clnt.c simply doesn't work.

Well, but that's something that's fixed easily - we can always tell
such customer to install an /etc/netconfig on their system.

Olaf
-- 
Neo didn't bring down the Matrix. SOA did. (soafacts.com)
--------------------------------------------
Olaf Kirch - Director Server (okir@novell.com)
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nürnberg
GF: Markus Rex, HRB 16746 (AG Nürnberg)