From owner-freebsd-security  Sat Aug 19 12:19:44 2000
Delivered-To: freebsd-security@freebsd.org
Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82])
	by hub.freebsd.org (Postfix) with ESMTP id 4BDE437B424
	for <freebsd-security@freebsd.org>; Sat, 19 Aug 2000 12:19:42 -0700 (PDT)
Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net  with Microsoft SMTPSVC(5.5.1877.197.19);
	 Sat, 19 Aug 2000 12:18:36 -0700
Received: (from cjc@localhost)
	by 149.211.6.64.reflexcom.com (8.9.3/8.9.3) id MAA11293;
	Sat, 19 Aug 2000 12:19:41 -0700 (PDT)
	(envelope-from cjc)
Date: Sat, 19 Aug 2000 12:19:40 -0700
From: "Crist J . Clark" <cjclark@reflexnet.net>
To: Michael Maxwell <drwho@xnet.com>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Log message improvement for rpc.statd
Message-ID: <20000819121940.R28027@149.211.6.64.reflexcom.com>
Reply-To: cjclark@alum.mit.edu
References: <200008191817.NAA09304@drwho.xnet.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0i
In-Reply-To: <200008191817.NAA09304@drwho.xnet.com>; from drwho@xnet.com on Sat, Aug 19, 2000 at 01:18:13PM -0500
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sat, Aug 19, 2000 at 01:18:13PM -0500, Michael Maxwell wrote:
> >Just noticed that someone decided to try to be annoying with
> >my rpc.statd:
> 
> Is there any particular reason you *need* to have RPC visible to the
> outside?  If not, you would be well advised to firewall this stuff,
> especially ports 111, 2049, etc...  If there *is* a reason you need it 
> open, then first try to find another solution.  Otherwise, you'll just
> have to live with it.
> 
> RPC is, by nature, insecure.  

Someone asked me about this a few months back. Most of the problems
with RPC daemons have been buffer overflows. Buffer overflows are not
design flaws, but rather, programming errors. I was asked that
provided the programs were actually written securely, is there
something still inherently insecure about Sun's RPC protocols? I
really did not know enough to answer definitively.

I do know that the extra layer of complexity, essentially adding
another layer in the network stack between TCP or UDP and the
application layer, makes me nervous. Complexity bad. But if there is
anything beyond that, I am not sure. Sun isn't known for being the
most security conscious vendor... but then again I am a BSD fan and
BSD is associated with the notorious r* protocols. ;)
-- 
Crist J. Clark                           cjclark@alum.mit.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message