Bug 4558 - Portmapper Deosn't obey *names* in hosts.allow/deny
Portmapper Deosn't obey *names* in hosts.allow/deny
Product: Red Hat Linux
Classification: Retired
Component: portmap (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: David Lawrence
: Security
Depends On:
  Show dependency treegraph
Reported: 1999-08-16 20:23 EDT by Joshua Jensen
Modified: 2008-05-01 11:37 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 1999-08-17 12:12:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Joshua Jensen 1999-08-16 20:23:48 EDT
The man page clearly states that portmapper looks to
hosts.deny and hosts.allow for access control on both
IP addresses, subnets, and domain and subdomain names.  This
is true, exect that it pays NO ATTENTION to names.  This can
be easily verified against a better behaving in.ftpd.  wuftp
obeys both names and IP address specifications, but names
simply mistify portmapper (causing portmapper to disregard
the entire entry(!)).  This is a big security problem,
because the man page is wrong and misleads people to think
that they are denying very common things like NFS, when they
in fact aren't!  I see that portmapper has some other
similar bug reports, but I think this problem is more
general, and effects everyone.
Comment 1 David Lawrence 1999-08-17 12:12:59 EDT
RPC services such as portmap by default does not do name lookups to
avoid deadlocks. Therefore only network number patterns will work for
portmap access control.

        portmap: your.sub.net.number/your.sub.net.mask

        portmap: ALL: (/some/where/safe_finger -l @%h | mail root) &

Try using IP's instead of names and also you can turn on verbose
logging by running portmap with the -v switch and then viewing what
may be going wrong in /var/log/messages.

The above information was found in /usr/doc/portmap-4.0/README.

Note You need to log in before you can comment on or make changes to this bug.