Bug 4558 - Portmapper Deosn't obey *names* in hosts.allow/deny
Summary: Portmapper Deosn't obey *names* in hosts.allow/deny
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: portmap
Version: 6.0
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: David Lawrence
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 1999-08-17 00:23 UTC by Joshua Jensen
Modified: 2008-05-01 15:37 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 1999-08-17 16:12:40 UTC


Attachments (Terms of Use)

Description Joshua Jensen 1999-08-17 00:23:48 UTC
The man page clearly states that portmapper looks to
hosts.deny and hosts.allow for access control on both
IP addresses, subnets, and domain and subdomain names.  This
is true, exect that it pays NO ATTENTION to names.  This can
be easily verified against a better behaving in.ftpd.  wuftp
obeys both names and IP address specifications, but names
simply mistify portmapper (causing portmapper to disregard
the entire entry(!)).  This is a big security problem,
because the man page is wrong and misleads people to think
that they are denying very common things like NFS, when they
in fact aren't!  I see that portmapper has some other
similar bug reports, but I think this problem is more
general, and effects everyone.

Comment 1 David Lawrence 1999-08-17 16:12:59 UTC
RPC services such as portmap by default does not do name lookups to
avoid deadlocks. Therefore only network number patterns will work for
portmap access control.

Example:
/etc/hosts.allow:
        portmap: your.sub.net.number/your.sub.net.mask
        portmap: 255.255.255.255 0.0.0.0

/etc/hosts.deny
        portmap: ALL: (/some/where/safe_finger -l @%h | mail root) &

Try using IP's instead of names and also you can turn on verbose
logging by running portmap with the -v switch and then viewing what
may be going wrong in /var/log/messages.

The above information was found in /usr/doc/portmap-4.0/README.


Note You need to log in before you can comment on or make changes to this bug.