tech-userlevel: Re: portmap=no, nfs

Subject: Re: portmap=no, nfs_{client,server}=yes
To: David Brownlee <abs@mono.org>
From: Brian Stark <bstark@siemens-psc.com>
List: tech-userlevel
Date: 11/19/1999 10:32:13
On Fri, 19 Nov 1999, David Brownlee wrote:

> 	I would agree with you if the default was portmap=YES, but in
> 	-current the default is portmap=NO.
> 
> 	The argument now is that if I set 'nfs_client=YES' it should
> 	start everything needed to work as an nfs client.

IMHO, if 'nfs_client=YES' and 'portmap=NO' then an error message saying
that portmap has not been configured to run should be issued and the
nfs client software should not be started.

I like this approach because on occasion I have found myself editing
/etc/rc.conf too quickly and I have accidently enabled some things I
did not want to.

Also, just the other day my firewall logs showed that someone was probing
port 111 (sunrpc) on my machine. Investigating that incident further
revealed that a site in Texas had been hacked by someone who exploited
a bug in that system's automounter code. In the process of repairing 
that system the system administrator told me he found a copy of the
rpcscan program running which was looking for other sites running 
portmap.

I'm concerned about automatically starting portmap if 'nfs_client=YES' (or
any one of the other RPC programs) because if a system administrator is
not running IP Filter (and it is not enabled by default), a system
administrator could inadverently open a system up to RPC exploits
(assuming there are still a few out there that have not been discovered),
and that is a bad thing...

I saw a message on one of the NetBSD mailing lists this week talking about
a hole in automounter and something to the effect that 1.4.1 users should
upgrade to the latest release snapshot of 1.4.1. Luckily, I do have IP
filter running, but as of yet, I don't have the latest snapshot of the
1.4.1 release branch installed.


Just my two cents worth...


Brian

-------------------------------------------------------------------------
| Brian Stark                       | Internet : bstark@siemens-psc.com |
| Siemens PT&D, Inc.                | Voice    : +1 612 536-4697        |
| Power Systems Control Division    | Fax      : +1 612 536-4919        |
| 7225 Northland Drive, Brooklyn Park, Minnesota 55428   USA            | 
-------------------------------------------------------------------------