At 10:16 PM 4/7/2001 -0600, Ken Thompson wrote:
> portmap
>The portmapper program is a security tool which prevents theft of NIS (YP),
>NFS and other sensitive information via the portmapper. A portmapper manages
>RPC connections, which are used by protocols like NFS and NIS. The portmap
>package should be installed on any machine which acts as a server for
>protocols using RPC.
This is not a security tool, it is a security hole. In fact, the
portmapper is the
tool by which NIS (YP), NFS and other sensitive information is freely handed
around. It is unfortunately a necessary hole to open for RPC services. RPC
services in general are weak in a security sense. NIS, NFS and the r commands
(rsh, rwall, rwho) are all products of the "kinder, gentler" Internet back
when you
probably knew the desk phone number of anyone who could get to your machine.
YP has some new security features (use of tcp wrappers, password munging on
ypbind-utils requests) as does NFS (root squashing, uid mapping). If you are
running these services and therefore running portmap, you need to understand
the wealth of information that can be gleaned from these services. Only
use them
as inward facing services, and only on a network you have other security
measures
in place.
--
Matthew Micene
Systems Development Manager
Express Search Inc.
www.ExpressSearch.com
