rpc.statd

rpc.statd, also called statd, is the NFS file-locking status monitor. It interacts with rpc.lockd (also called lockd) to provide the crash and recovery functions for file locking across NFS. rpc.lockd and rpc.statd work together; so if either is running, both must run. rpc.lockd and rpc.statd can be safely and permanently turned off if the machine is neither an NFS client nor an NFS server. If a machine where rpc.lockd and rpc.statd have been disabled becomes either an NFS server or an NFS client, then both rpc.lockd and rpc.statd should be turned back on.

NFS is stateless, which means that NFS clients and servers can be rebooted without a loss of file integrity due to NFS. In contrast, NFS file locking is stateful. To achieve this stateful nature in a stateless environment, rpc.lockd must work with rpc.statd to add state to file locking.

To understand what rpc.statd does, it is first necessary to understand what rpc.lockd does. rpc.lockd processes lock requests that are sent either locally by the kernel or remotely by another lock daemon. rpc.lockd forwards lock requests for remote NFS files to the NFS serverÆs lock daemon using Remote Procedure Calls (RPC). rpc.lockd then requests monitoring service from the status monitor daemon, rpc.statd, running on the NFS server. Monitoring services are needed because file locks are maintained in the NFS server kernel.

In the event of a system crash or reboot, all NFS locks would normally be lost. It is rpc.statd that adds stateful file locking. When an NFS server reboots, rpc.statd causes the previously held locks to be recovered by notifying the NFS client lock daemons to resubmit previously granted lock requests. If a lock daemon fails to secure a previously granted lock on the NFS server, it sends SIGLOST to the process that originally requested the file lock.

The vulnerability in rpc.statd is its lack of validation of the information it receives from what is presumed to be the remote rpc.lockd. Because rpc.statd normally runs as root and because it does not validate this information, rpc.statd can be made to remove or create any file that the root user can remove or create on the NFS server.