| @(#) BLURB 1.5 96/07/06 23:09:45 |
| |
| This is the fifth replacement portmapper release. |
| |
| There is an increasing interest in access control for the NIS, mount |
| and other RPC-based services that are normally registered with the |
| portmap process. Possible attacks on RPC daemons involve: |
| |
| - theft of NIS (YP) password files |
| |
| - ypset to force hosts to bind to a rogue NIS (YP) server |
| |
| - theft of NFS file handles |
| |
| My contribution is a replacement portmap program, derived from source |
| code in the RPCSRC 4.0 and the TIRPC source distributions. Access |
| control (optional) is in the style of my tcp wrapper (log_tcp) package. |
| |
| Supported platforms: this program is known to work with all SunOS 4.x |
| releases. With some Makefile editing it should also work on Ultrix 4.x, |
| HP-UX 9.x, AIX 3.x and AIX 4.x, and Digital UNIX (OSF/1). |
| |
| Solaris 2.x and other System V.4 UNIXes should use use my rpcbind |
| replacement (ftp.win.tue.nl:/pub/security/rpcbind_*.tar.Z). |
| |
| This portmap version attempts to close all portmap security problems |
| that are known to me. The README file gives a complete list of |
| security features. |
| |
| Without the availability of portmap source, possible alternatives are |
| 1) packet filtering with a smart router (which we do anyway); 2) |
| linking the portmap executable against the securelib shared library. |
| Linking RPC daemons against the securelib library is a good idea, |
| anyway. |
| |
| The source is available for anonymous FTP from ftp.win.tue.nl directory |
| /pub/security/portmap_*.tar.gz. |
| |
| Wietse Venema (wietse@wzv.win.tue.nl) |
| Mathematics and Computing Science |
| Eindhoven University of Technology |
| The Netherlands |