[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[debian-users:24111] access controls for portmap


サーバで portmapper を使わない、という話題が出たのでちょっと見てたんで
すが、 hosts.{deny,allow} に、以下のような記述があります。

# If you're going to protect the portmapper use the name "portmap" for the
# daemon name. Remember that you can only use the keyword "ALL" and IP
# addresses (NOT host or domain names) for the portmapper. See portmap(8)
# and /usr/doc/netbase/portmapper.txt.gz for further information.

/usr/share/doc/portmap/portmapper.txt.gz を見ると、

Access control:

By default, host access control is enabled. However, the host that runs
the portmapper is always considered authorized. The host access control
tables are never consulted with requests from the local system itself;
they are always consulted with requests from other hosts.

In order to avoid deadlocks, the portmap program does not attempt to
look up the remote host name or user name, nor will it try to match NIS
netgroups. The upshot of all this is that only network number patterns
will work for portmap access control.

のように書かれています。ところが  % man portmap  すると

     This portmap version is protected by the tcp_wrapper library. You have to
     give the clients access to portmap if they should be allowed to use it.
     To allow connects from clients of the .bar.com domain you could use the
     following line in /etc/hosts.allow:

     portmap: .bar.com

     You have to use the daemon name portmap for the daemon name (even if the
     binary has a different name). For the client names you can only use the
     keyword ALL or IP addresses (NOT host or domain names).