home *** CD-ROM | disk | FTP | other *** search
- Message-Id: <9205061528.AA03460@tictac.cert.org>
- Date: Wed, 6 May 92 11:25:40 EDT
- From: wswietse@bs.win.tue.nl (Wietse Venema)
- Subject: improving portmap security
-
- There is an increasing interest in access control for the NIS, mount
- and other rpc-based services that are normally registered with the
- portmap process.
-
- My contribution is a replacement portmap program, derived from BSD 4.3
- portmap source, which in turn originates from Sun (whatever they are
- called these days). Access control is in the style of my tcp wrapper
- (log_tcp) package. I am looking for people who are willing to try it
- out and help to get rid of possible portability problems.
-
- The present version only begins to address the worst problems. For
- example, using the portmap daemon to forward requests to the NIS or
- mount daemons and so that they appear to come from the local host.
-
- Without the availability of portmap source, possible alternatives
- are 1) packet filtering with a smart router; 2) linking the portmap
- executable against the securelib shared library. Of course, the latter
- option makes sense only with an OS that supports shared libraries.
-
- Besides BSD 4.3, The code compiles fine with SunOS 4.1.1, Ultrix 4.x
- and ESIX System V release 4.0. The portmap replacement has been tested
- with SunOS 4.1.1, PC-NFS 3.0.1 and 386BSD alpha.
-
- If you have the courage to try it out, please report any feedback you
- have (positive or negative). If the program can be made generally
- usable I may make it part of the next tcp wrapper (log_tcp) release.
-
- The source has been posted to alt.{sources,security} and is available
- for anonymous ftp from ftp.win.tue.nl:/pub/security/portmap_0.shar.Z
-
- Wietse Venema
- wietse@wzv.win.tue.nl
- Mathematics and Computing Science
- Eindhoven University of Technology
- The Netherlands
-
-
-
