On Monday 30 August 2010 17:59:18 Chuck Lever wrote: > I worried at the time that this might introduce a security weakness, since, > after all, the rpcbind SET operation goes over AF_UNIX, which is > authenticated, but pmap uses sockets with privileged ports to detect > authorized users. I see that your logic uses the pmap SET/UNSET calls by > default. This bypasses AF_UNIX completely in pretty much all local cases, That is admittedly a problem, at least for services not running as root. For services running as root, there's no change in behavior when talking to rpcbind - the registration will be owned by the superuser in both cases, because instead of checking the AF_LOCAL credentials for uid 0 it will check for a privileged source port. I agree though, that this part of the patch doesn't leave me totally at ease. > which changes the behavior of rpcb_set() and rpcb_unset(), and could break > the local rpcbind security model. It might be better to use > pmap_setunset() only when local_rpcb() fails. If it helps, I could do the old PMAP calls as a fallback rather than trying these by default, agreed. Let me see what I can come up with tomorrow. > Another minor problem I think I remember is that if libtirpc is used on a > system (perhaps because it is statically linked with said ISV RPC-enabled > application) that does not have /etc/netconfig installed, the transport > creation logic in rpcb_clnt.c simply doesn't work. Well, but that's something that's fixed easily - we can always tell such customer to install an /etc/netconfig on their system. Olaf -- Neo didn't bring down the Matrix. SOA did. (soafacts.com) -------------------------------------------- Olaf Kirch - Director Server (okir@xxxxxxxxxx) SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nürnberg GF: Markus Rex, HRB 16746 (AG Nürnberg) -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
