[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Why does rpc.statd need a privileged port?


I'm running chkrootkit on my workstation, just for testing. After the
last reboot it found:
  Checking `bindshell'... INFECTED (PORTS:  600)

Slightly shocking on a workstation without direct Internet connectivity.
Doing an "lsof -i :600" showed rpc.statd using this port. Huh? Why a low
port? On Solaris, rpc.statd runs on an ancillary port (> 32767).

Browsing through the source of rpc.statd, I found this:
      if (bindresvport (sock, &addr))
It's called if rpc.statd has not been assigned a port to operate on
(option -p or --port).

On the security-audit mailing list, Olaf Kirch said
  I don't recall whether lockd wants that call to originate from a
  privileged port.

I can't find anything like that in the sources. Since I have no code
that locks a file on an NFS-mounted filesystem, I can't verify this (run
rpc.statd -p $unpriv_port, try locking).

And since requiring a low port would break locking between a Solaris and
a Linux box, I doubt this would be a good idea.

Opinions? Comments?

Lupe Christoph
| lupe@lupe-christoph.de       |           http://www.lupe-christoph.de/ |
| Big Misunderstandings #6398: The Titanic was not supposed to be        |
| unsinkable. The designer had a speech impediment. He said: "I have     |
| thith great unthinkable conthept ..."                                  |

Reply to: