Re: rpcbind security
On Fri, Jun 17, 2022 at 8:42 PM Gustavo Rios wrote: > Excuse me, but how does rpcbind know that a incoming request, for > set/unset, comes from the root user ? > Theo has already told you how the *portmap* program decides that: by looking at the host and port the request is coming from. (There is no rpcbind program in OpenBSD and that word doesn't appear in the manuals. If you see an rpcbind process then you're not on OpenBSD and need to check with a different mailing list.) Philip Guenther
Re: rpcbind security
I am certain you can find it yourself. Gustavo Rios wrote: > may some here points me where rpcbind is implemented ? I would like to see > the C code > of it. > Thanks. > > Em sex., 17 de jun. de 2022 às 00:20, Theo de Raadt > escreveu: > > Gustavo Rios wrote: > > > Hi folks! > > > > How does openbsd rpcbind prevent ordinary users to unset a given rpc port > > mapping registered by, for instance, the root user ? > > Poorly. > > It will only allow local root (who request upon a reserved port) to touch > ports which are reserved (< 1024), and 2049 is treated the same way. > > If root wants safe RPC, it needs to use reserved ports. > > Please don't bring up the argument that reserved ports are an outdated > concept, it is obvious right here they aren't. > > It is difficult to improve the RPC ecosystem, it kind of is what it is, > and noone new services use it. > > -- > The lion and the tiger may be more powerful, but the wolves do not perform in > the > circus >
Re: rpcbind security
may some here points me where rpcbind is implemented ? I would like to see the C code of it. Thanks. Em sex., 17 de jun. de 2022 às 00:20, Theo de Raadt escreveu: > Gustavo Rios wrote: > > > Hi folks! > > > > How does openbsd rpcbind prevent ordinary users to unset a given rpc port > > mapping registered by, for instance, the root user ? > > Poorly. > > It will only allow local root (who request upon a reserved port) to touch > ports which are reserved (< 1024), and 2049 is treated the same way. > > If root wants safe RPC, it needs to use reserved ports. > > Please don't bring up the argument that reserved ports are an outdated > concept, it is obvious right here they aren't. > > It is difficult to improve the RPC ecosystem, it kind of is what it is, > and noone new services use it. > > -- The lion and the tiger may be more powerful, but the wolves do not perform in the circus
Re: rpcbind security
Gustavo Rios wrote: > Hi folks! > > How does openbsd rpcbind prevent ordinary users to unset a given rpc port > mapping registered by, for instance, the root user ? Poorly. It will only allow local root (who request upon a reserved port) to touch ports which are reserved (< 1024), and 2049 is treated the same way. If root wants safe RPC, it needs to use reserved ports. Please don't bring up the argument that reserved ports are an outdated concept, it is obvious right here they aren't. It is difficult to improve the RPC ecosystem, it kind of is what it is, and noone new services use it.