Why does rpc.statd need a privileged port?

To: debian-security@lists.debian.org
Subject: Why does rpc.statd need a privileged port?
From: lupe@lupe-christoph.de (Lupe Christoph)
Date: Sat, 28 Sep 2002 17:09:37 +0200
Message-id: <[🔎] 20020928150937.GO1124@lupe-christoph.de>

Hi!

I'm running chkrootkit on my workstation, just for testing. After the
last reboot it found:
  Checking `bindshell'... INFECTED (PORTS:  600)

Slightly shocking on a workstation without direct Internet connectivity.
Doing an "lsof -i :600" showed rpc.statd using this port. Huh? Why a low
port? On Solaris, rpc.statd runs on an ancillary port (> 32767).

Browsing through the source of rpc.statd, I found this:
      if (bindresvport (sock, &addr))
It's called if rpc.statd has not been assigned a port to operate on
(option -p or --port).

On the security-audit mailing list, Olaf Kirch said
  I don't recall whether lockd wants that call to originate from a
  privileged port.

I can't find anything like that in the sources. Since I have no code
that locks a file on an NFS-mounted filesystem, I can't verify this (run
rpc.statd -p $unpriv_port, try locking).

And since requiring a low port would break locking between a Solaris and
a Linux box, I doubt this would be a good idea.

Opinions? Comments?

Thanks,
Lupe Christoph
-- 
| lupe@lupe-christoph.de       |           http://www.lupe-christoph.de/ |
| Big Misunderstandings #6398: The Titanic was not supposed to be        |
| unsinkable. The designer had a speech impediment. He said: "I have     |
| thith great unthinkable conthept ..."                                  |

Reply to:

Follow-Ups:
- Re: Why does rpc.statd need a privileged port?
  - From: Wichert Akkerman <wichert@wiggy.net>

Prev by Date: Re: slapper countermeasures
Next by Date: Re: Why does rpc.statd need a privileged port?
Previous by thread: Re: ssh upgrade problems (potato)
Next by thread: Re: Why does rpc.statd need a privileged port?
Index(es):
- Date
- Thread