tcp wrappers and rpc.statd

Ben Scott dragonhawk at gmail.com
Wed Aug 2 07:30:01 EDT 2006


On 8/2/06, Paul Lussier <p.lussier at comcast.net> wrote:
> Has anyone ever used tcp wrappers to explicitly control access to rpc.statd?

  I haven't, but I can make some educated guesses.

>>     This rpc.statd version is protected by the tcp_wrapper
>>     library.
>
> Yet, there's nothing anywhere that I can see that ever invokes tcpd to
> wrap around the execution of statd

    The word "library" in there is probably significant.  These days,
TCP wrappers is also available as a set of library calls.  If the
program is built with specific support for same, it can make use of
TCP wrappers functionality, without having to be invoked by tcpd.

  I'm guessing that is what is happening here.  Check the source if
you need to be sure.

> Doing on nmap of the system in question shows statd running when
> probing the 10.0.20.31 interface.  Adding the line to /etc/hosts.allow
> does nothing.

  Services generally still show in nmap, even when using tcpd, because
the nmap just scans for listening sockets.  Sockets are implemented at
the kernel level.  It isn't until a "real" connection attempt is made
that TCP wrappers gets involved.  TCP wrappers will then look at the
IP addresses involved, and drop the connection if things aren't right.

> But when I hack the init.d script to "wrap" statd with
> tcpd, things seemt to work as expected.

  I do not think that is doing what you think it is doing.  tcpd is
designed to sit "between" inetd and another daemon, and intercept the
connections inetd is handing off to the other daemon.  In those cases,
the other daemon does not listen() on a socket, and do not maintain
long-term state.

  However, statd will listen() on sockets, and exists to maintain
long-term state.  It's also an RPC-based service, which means it talks
to the portmapper to find out which socket to listen() on.  So I
wouldn't expect tcpd to work for that.  But again, I'm just guessing;
there may well be more  going on than I'm aware of.  In particular, my
understanding of how Sun RPC works is very limited.

-- Ben



More information about the gnhlug-discuss mailing list