[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Release update

According to Matt Zimmerman:
> rpc.statd in Debian doesn't accept requests by default; an entry must be
> explicitly added to /etc/hosts.allow.

To my knowledge, this is not true, and I'm the maintainer.  I believe
that rpc.statd should *not* be started by default.  If that means
moving nfs-common out of standard, fine.  But that's not a decision I
can take on my own, given how widespread NFS is.

At present, if I understand upstream correctly, tcpwrappers protection
isn't good enough for security purposes in RPC services like statd and
quotad.  Many security problems in RPC hit the decoding step, and
decoding happens before the tcpwrappers protections kick in.  It'd be
a Good Thing if that were to be fixed.  But even if it were, it's a
fundamental security practice not to run services you don't need.
Chip Salzenberg               - a.k.a. -               <chip@pobox.com>
"I wanted to play hopscotch with the impenetrable mystery of existence,
    but he stepped in a wormhole and had to go in early."  // MST3K

Reply to: