[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fam mustn't depend on portmap (was Re: new portmap packages, testers wanted)

On 21-Jan-04, 05:24 (CST), Joerg Wendland <joergland@debian.org> wrote: 
> But why does everybody hate portmap that much?  It is not dangerous, it
> does not run as root, there is not much you can do with, so why even
> bother?

I think many remember when portmapper (not necessarily the linux
implementation) had a series of security problems, and the general
conclusion then was that the best solution was to just not run it. It
may have been fixed in the meantime, but we still have a fundamental
distrust. Just like sendmail :-)

In this particular case, where all FAM is doing is looking up a port
number, portmapper is way overkill. That's what getservbyname() is for.
The admitted downside is that using getservbyname() requires an assigned
port number. That could be mitigated in the transistion by assuming a
particular port if getservbyname() failed, which should work fine, given
that (probably) 99% of the use will be with localhost. Talking to a
remote host, fall back to portmapper, which is likely to be running on
the remote host anyway.

Or maybe everyone (well, the people who do the work :-)) will decide
that they can use tcpwrappers to control access to the portmapper, and
that such would be sufficient.

Steve Greenland
    The irony is that Bill Gates claims to be making a stable operating
    system and Linus Torvalds claims to be trying to take over the
    world.       -- seen on the net

Reply to: