Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 4558

Summary: Portmapper Deosn't obey *names* in hosts.allow/deny
Product: [Retired] Red Hat Linux Reporter: Joshua Jensen <joshua>
Component: portmapAssignee: David Lawrence <dkl>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 6.0Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 1999-08-17 16:12:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Joshua Jensen 1999-08-17 00:23:48 UTC
The man page clearly states that portmapper looks to
hosts.deny and hosts.allow for access control on both
IP addresses, subnets, and domain and subdomain names.  This
is true, exect that it pays NO ATTENTION to names.  This can
be easily verified against a better behaving in.ftpd.  wuftp
obeys both names and IP address specifications, but names
simply mistify portmapper (causing portmapper to disregard
the entire entry(!)).  This is a big security problem,
because the man page is wrong and misleads people to think
that they are denying very common things like NFS, when they
in fact aren't!  I see that portmapper has some other
similar bug reports, but I think this problem is more
general, and effects everyone.

Comment 1 David Lawrence 1999-08-17 16:12:59 UTC
RPC services such as portmap by default does not do name lookups to
avoid deadlocks. Therefore only network number patterns will work for
portmap access control.

Example:
/etc/hosts.allow:
        portmap: your.sub.net.number/your.sub.net.mask
        portmap: 255.255.255.255 0.0.0.0

/etc/hosts.deny
        portmap: ALL: (/some/where/safe_finger -l @%h | mail root) &

Try using IP's instead of names and also you can turn on verbose
logging by running portmap with the -v switch and then viewing what
may be going wrong in /var/log/messages.

The above information was found in /usr/doc/portmap-4.0/README.