Description
-----------

This is an rpcbind replacement with access control in the style of the
tcp/ip daemon wrapper (log_tcp) package.  It provides a simple
mechanism to discourage remote access to the NIS (YP), NFS, and other
rpc services.

This is a preliminary version for evaluation purposes. It does not yet
implement the rpcbind procedures that are specific to the version 4
protocol; RPCBPROC_INDIRECT is implemented in terms of RPCBPROC_CALLIT;
RPCBPROC_GETVERSADDR, RPCBPROC_GETADDRLIST and RPCBPROC_GETSTAT still
have to be done. The daemon prints a warning when an unimplemented or
partially implemented operation is requested.

The sources are derived from Sun's TIRPC (transport-independent rpc)
distribution. The README file says:  "This is a source distribution of
TIRPC, for release at Connectathon '91.". I had to fix one serious bug
in the call forwarding routines:  the wrong sender endpoint address
would be used when sending the reply to the client, so that the client
would never see it.

The program has undergone limited testing with SunOS 5.1 and 5.2.

Features
--------

- host access control on IP addresses. The local host is considered
authorized. Host access control requires the libwrap.a library that
comes with recent tcp/ip daemon wrapper (log_tcp) implementations.

- requests that are forwarded by the rpcbind process will be forwarded
through an unprivileged port.

- the rpcbind process refuses to forward requests to rpc daemons that
do (or should) verify the origin of the request: at present, the list
includes most of the calls to the NFS mountd/nfsd daemons and the NIS
daemons.

Restrictions
------------

See also the notes in the introduction.

The host access control code looks at IP addresses only.

Limiting access to the rpcbind daemon does not protect you from direct
attacks on the rpc daemons themselves; the main task of rpcbind is to
maintain a table of available RPC services and of the network ports
that they are listening on.

On the other hand, even though rpcbind with access control only makes
an attack more difficult, it still provides an excellent early warning
system.

Installation
------------

(1) Follow the instructions in the Makefile, then build the rpcbind
executable.

(2) Terminate (kill -TERM) the running rpcbind process. With "kill -TERM"
the rpcbind daemon will save its state in files in /tmp.
If you kill the rpcbind process without saving its tables you will have
to reboot the machine.

(3) Start the new rpcbind program.  

In order to revert to the original rpcbind daemon, kill off the running
one with "kill -TERM", and start the original one.

Suggested entries for the host access-control files are:

    /etc/hosts.allow:
        rpcbind: your.sub.net.number/your.sub.net.mask
        rpcbind: 255.255.255.255 0.0.0.0

    /etc/hosts.deny
       rpcbind: ALL: (/some/where/safe_finger -l @%h | /bin/mail root) &

Safe_finger comes with later tcp/ip daemon wrapper releases. It
gives better protection than the standard finger command.

The syntax of the access-control files is described in the
hosts_access.5 manual page that comes with the tcp/ip daemon wrapper
(log_tcp) sources. The second line in the hosts.allow file may be
needed in case there are unconfigured systems on your network segment.

For security reasons, the rpcbind process does not run as root. The
access control files should be world-readable.

In order to avoid deadlocks, the rpcbind program does not attempt to
look up the remote host name, nor will it try to match NIS netgroups.
There is no need to specify the local system: since it runs the rpcbind
daemon, it is authorized by definition. The reason for permitting whole
networks in the hosts.allow file is that many systems produce broadcast
rpc requests when booting.

Testing:
--------

Normally, only rejected requests will be reported via the syslog
daemon.  Logging is done in a child process, in order to avoid
possible deadlock in case the logging code needs assistance from
the rpcbind process.

By default, the rpcbind process will be utterly silent. In fact, the
rpcbind daemon is not consulted that often. Sending a SIGINT signal to
the rpcbind process will enable the logging of all requests.

With verbose logging turned on, requests such as "showmount" or
"rpcinfo" should show up with log file entries such as:

 MMM dd hh:mm:ss hostname rpcbind: connect from x.x.x.x to getport(mountd)
 MMM dd hh:mm:ss hostname rpcbind: connect from y.y.y.y to dump()
 MMM dd hh:mm:ss hostname rpcbind: connect from loopback(xxxx) to unset()

In case of IP clients, the source IP address is logged; otherwise, the
transport name and universal address are logged as transport(address).

Send another SIGINT to the rpcbind process to turn the verbose logging off.

        Wietse Venema (wietse@wzv.win.tue.nl)
        Mathematics and Computing Science
        Eindhoven University of Technology
        The Netherlands
                                                                                                                                                                                 