System has all current updates installed. /etc/hosts.deny is as follows: ----------- # # hosts.deny This file describes the names of the hosts which are # *not* allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # # The portmap line is redundant, but it is left to remind you that # the new secure portmap uses hosts.deny and hosts.allow. In particular # you should know that NFS uses portmap! ALL: ALL # portmap: ALL: (/usr/sbin/safe_finger -l @%h | mail root) & ------------ (Note that portmap line is commented out but should be caught by ALL: ALL) /etc/hosts.allow is as follows: --------------------- # # hosts.allow This file describes the names of the hosts which are # allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # sshd: ALL ------------------------ tcpdmatch reports that portmap should be blocked: [root@chimay jon]# tcpdmatch portmap gwyn.tux.org warning: portmap: service possibly not wrapped client: hostname gwyn.tux.org client: address 207.96.122.8 server: process portmap matched: /etc/hosts.deny line 10 access: denied ------------------------------------- But from that same test address: [lasser@gwyn lasser]$ telnet chimay.skynetweb.com 111 Trying 64.23.4.67... Connected to chimay.skynetweb.com. Escape character is '^]'. Sure looks live to me. The service name portmap is per the documentation, but it sure looks like it should be blocked, right? It's possible I'm doing something wrong, but this looks bad to me...
I did some testing with this config (RH6.2 with all updates): /etc/hosts.deny ALL:ALL and empty /etc/hosts.allow Portmap still allows rpcinfo from localhost, but not from remote hosts. And tcp connections are not wrapped at all ( I can connect to port 111 from anywhere). This appears to be a bug in portmap.
After looking thru portmap source I noticed that hosts_ctl is called only if the request comes from a remote address. Here's part of the code: #ifdef HOSTS_ACCESS if (!(from_local(addr) || good_client(addr))) { log_bad_host(addr, proc, prog); These kind of checks are in several places in pmap_check.c One possible fix for this would be to remove from_local(addr) call from the if statement (and then remember to add localhost to hosts.allow). Also I think that the tcp_wrapper checks are called only if portmap gets a valid rpc-call --> anyone can still connect to port 111 with telnet and possibly 'consume' filedescriptors. Could someone do a more thorough testing of this issue ? Also one more thing: Portmapper calls setuid(1) w/out calling setgid earlier so it's running as uid=1 gid=0 <- root gid. Is there a reason for this ?
I think I'll keep it the way the authors intended... turning it off (and not allowing localhost) would break things needing it, like nfslock, yp etc. Thanks for the input.