COMMAND

    portmap(8)

SYSTEMS AFFECTED

    Systems  running  NFS  and  exporting  filesystems  to themselves.
    SunOS 4.1.x, Ultrix, Solaris, IRIX 4.x

PROBLEM

    From 'man 3 portmap':

    enum clnt_stat pmap_rmtcall(...) ...

    Request that the portmap on the  host at IP address *addr make  an
    RPC call on the behalf of the caller to a procedure on that host.

    From a distant host, you can make a pmap_call call formatted as  a
    mount request, and the portmapper will forward it to the port  you
    request.  When  the  mount  daemon  gets  it,  it  will  appear to
    originate from the local host.  The mount daemon will verify  that
    the filesystem is exported to  the local host, and return  a valid
    filehandle.

SOLUTION

    One likely solution is to enable port checking. Excerpted from one
    /etc/rc.local file:

        rpc.mountd
        echo "nsf_portmon/W1" | abd -w /vmunix /dev/kmem

    Now the mount deamon (modulo  any bugs) will only accept  requests
    from  a  privileged  port.  The  rpc  requests  forwarded  by  the
    portmapper will (modulo any bugs) not originate from a  privileged
    port. On a Sun you can  acomplish the same just by adding  '-p' to
    the startup of mountd in /etc/rc*. Another solution is to use  the
    portmapper  from  tcp_wraper,  it   was  protection  againts   the
    portmapper PMAPPROC_CALLIT  procedure... Look  it up  in your  Sun
    'Network Programming Guide' pages 164 and 165.. Get Wietse  Venema
    portmapper. For Solaris get Wietse rpcbind.