@(#) README 1.6 96/05/31 15:52:57 This is the README file for the 4th enhanced portmapper release. Description ----------- This README describes a replacement portmapper that prevents theft of NIS (YP), NFS, and other sensitive information via the portmapper. As an option, the program supports access control in the style of the tcp wrapper (log_tcp) package. Like all portmappers, this one is intended to be started at boot time. Daemons that offer RPC services tell the portmapper on what port they listen. Unlike the well-known services registered with the inetd, RPC network port numbers may change each time the system is booted. Whenever a client wants to use an RPC service it is supposed to first ask the portmapper on what port the corresponding daemon is listening. The rpcinfo command can tell you what RPC services your system offers. As described in the features section below, the replacement portmapper can prevent undesirable client-server interactions. In some cases, better or equivalent alternatives are available: The SunOS portmap that is provided with patch id 100482-02 should close the same security holes. In addition, it provides an YPSERV daemon with its own access control list. This is better than just portmapper access control. The "securelib" shared library (eecs.nwu.edu:/pub/securelib.tar) implements access control for all kinds of (RPC) services, not just the portmapper. However, vendors still ship portmap implementations that allow anyone to read or modify its tables and that will happily forward any request so that it appears to come from the local system. Features -------- - optional: host access control. The local host is always considered authorized. Access control requires the libwrap.a library that comes with recent tcp wrapper (log_tcp) implementations. - requests to change the portmap tables are accepted only when they come from the local system. - optional: requests to (un)register services that listen on privileged ports (port < 1024) are accepted only when the requests themselves come from a privileged port. This feature is optional because of older RPC implementations. - requests that are forwarded by the portmapper will be forwarded through an unprivileged port. - the portmapper refuses to forward requests to rpc daemons that do (or should) verify the origin of each request: when the portmapper forwards a request it appears to come from the local machine. At present, the portmapper refuses to forward all RPC calls to itself, and most RPC calls to the NFS mountd/nfsd daemons, and to the NIS daemons. Restrictions ------------ Limiting access to the portmapper does not protect you from direct attacks on the rpc daemons; the main task of portmap is to maintain a table of available RPC services and of the network ports that they are listening on. The securelib can be used to protect individual RPC daemons, and the latest SunOS portmap+NIS fix already protects the NIS daemons and implements limited forwarding. On the other hand, even though a portmapper with access control only makes an attack more difficult, it still provides an excellent early warning system. Origin and portability ---------------------- The sources in this distribution are derived from code on the second BSD networking tape, which was derived from Sun's RPCSRC 4.0 code, and from Sun's TIRPC (transport-independent rpc) distribution. The code compiles fine with SunOS 4.1.x, Ultrix 4.x, HP-UX 9.x, AIX 3.x and AIX 4.x, and Digital UNIX (OSF/1). See the notes in the Makefile. Solaris 2.x (and other true System V.4 clones) use a different program called rpcbind. I have written a replacement for that program, too. The primary achive is ftp.win.tue.nl:/pub/security/rpcbind_xx.tar.Z. Installation ------------ (1) Follow the instructions in the Makefile, then build the portmap and auxiliary executables. (2) Before killing the present portmap process, save the present portmapper tables using the command: ./pmap_dump >table If you kill the portmap process without saving its tables you will have to reboot the machine. Note: the information in the portmap tables is dynamic: For example, it will be different after each reboot. On a Sun, it even changes each time a windowing system is started that uses the selection service. (3) Kill the running portmap process and start the new portmap program. Then (still as root) initialize the portmap tables with: ./pmap_set