From ce109b524b4cbea96908c8b307c78e5d44f92240 Mon Sep 17 00:00:00 2001
From: Neil Brown <neilb@suse.de>
Date: Fri, 11 May 2007 13:02:10 +1000
Subject: [PATCH] Release version 6.0

Add a README, update CHANGES, and add a -V flag to print version.
---
 BLURB => BLURBv5 |   0
 CHANGES          |  11 +++
 README           | 230 +++++------------------------------------------
 README.5         | 214 +++++++++++++++++++++++++++++++++++++++++++
 portmap.8        |   3 +
 portmap.c        |   6 +-
 6 files changed, 257 insertions(+), 207 deletions(-)
 rename BLURB => BLURBv5 (100%)
 create mode 100644 README.5

diff --git a/BLURB b/BLURBv5
similarity index 100%
rename from BLURB
rename to BLURBv5
diff --git a/CHANGES b/CHANGES
index 222fc95..0e88d45 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,14 @@
+Changes with release 6.0 (May 2007)
+
+- compile and runtime selection of uid to 'setuid' to
+- mapping table is stored in a file and can be restored on restart
+- If a privilege program registers a non-privileged port, and
+  non-privileged program can no-longer unregister it.
+- add man pages
+- allow portmap to bind to a local address only
+- support 'chroot'
+- various cleanups and minor bug fixes
+
 
 Changes with release 5 (July 1996)
 
diff --git a/README b/README
index c2b0c0b..0da54cc 100644
--- a/README
+++ b/README
@@ -1,214 +1,32 @@
-@(#) README 1.7 96/07/06 23:06:19
 
-This is the README file for the 5th enhanced portmapper release.
+portmap-6.0 is the first release in 10 year of portmap based on the code
+from Wietse Venema.
 
-Description
------------
+It consolidates patches that various Linux distributions were shipping
+with their versions of portmap, and add some more functionality.
 
-This README describes a replacement portmapper that prevents theft of
-NIS (YP), NFS, and other sensitive information via the portmapper.  As
-an option, the program supports access control in the style of the tcp
-wrapper (log_tcp) package.
+This version is currently maintained by 
+   Neil Brown <neilb@suse.de>
+and can be found at
+    git://neil.brown.name/portmap
+    http://neil.brown.name/git/portmap
+    http://neil.brown.name/portmap/
 
-Like all portmappers, this one is intended to be started at boot time.
-Daemons that offer RPC services tell the portmapper on what port they
-listen. Unlike the well-known services registered with the inetd, RPC
-network port numbers may change each time the system is booted.
-Whenever a client wants to use an RPC service it is supposed to first
-ask the portmapper on what port the corresponding daemon is listening.
-The rpcinfo command can tell you what RPC services your system offers.
+NeilBrown - 11may2007
 
-As described in the features section below, the replacement portmapper
-can prevent undesirable client-server interactions.  In some cases,
-better or equivalent alternatives are available:
+There is no "./configure", just use "make".
 
-    The SunOS portmap that is provided with patch id 100482-02 should
-    close the same security holes.  In addition, it provides an YPSERV
-    daemon with its own access control list. This is better than just
-    portmapper access control.
+Some make variable can be used to control compilation.
 
-    The "securelib" shared library (eecs.nwu.edu:/pub/securelib.tar)
-    implements access control for all kinds of (RPC) services, not
-    just the portmapper.
+ NO_TCP_WRAPPER=  if non-empty, doen't use tcp_wrappers
+ USE_DNS=	  if set, tcp_wrappers can check peers based on hostname
+		  as well as IP address.  This should only be used if you
+		  are certain that gethostbyname will never trigger a
+		  called to portmap (as it might if 'nis' is used for hostnames).
+ RPCUSER=	  is set, portmap will use getpwnam to find the user for
+		  that user, and will setuid to that user before listening
+		  for incoming messages
+ DAEMON_UID=	  Can be set to a number to override the default UID
+		  to setuid to.  Default is '1'.
+ DAEMON_GID=	  As above, but for setgid.
 
-However, vendors still ship portmap implementations that allow anyone
-to read or modify its tables and that will happily forward any request
-so that it appears to come from the local system.
-
-Features
---------
-
-- optional: host access control. The local host is always considered
-authorized. Access control requires the libwrap.a library that comes
-with recent tcp wrapper (log_tcp) implementations.
-
-- requests to change the portmap tables are accepted only when they
-come from the local system.
-
-- optional: requests to (un)register services that listen on privileged
-ports (port < 1024) are accepted only when the requests themselves come
-from a privileged port. This feature is optional because of older RPC
-implementations.
-
-- requests that are forwarded by the portmapper will be forwarded
-through an unprivileged port.
-
-- the portmapper refuses to forward requests to rpc daemons that do (or
-should) verify the origin of each request: when the portmapper forwards
-a request it appears to come from the local machine. At present, the
-portmapper refuses to forward all RPC calls to itself, and most RPC
-calls to the NFS mountd/nfsd daemons, and to the NIS daemons.
-
-- the really desperate can harden the portmapper even more by requiring
-that requests to modify its tables arrive via the loopback network
-interface, instead of via the primary network interface that every host
-can talk to. The cost is high: besides changes to the portmapper, this
-requires changes to system libraries, to statically-linked rpc servers,
-to the kernel to disable IP source routing, and perhaps even to system
-startup procedures.  Don't do this unless you're desperate.  Details
-are given in the Makefile.
-
-Restrictions
-------------
-
-Limiting access to the portmapper does not protect you from direct
-attacks on the rpc daemons; the main task of portmap is to maintain a
-table of available RPC services and of the network ports that they are
-listening on. The securelib can be used to protect individual RPC
-daemons, and the latest SunOS portmap+NIS fix already protects the NIS
-daemons and implements limited forwarding.
-
-On the other hand, even though a portmapper with access control only
-makes an attack more difficult, it still provides an excellent early
-warning system.
-
-Origin and portability
-----------------------
-
-The sources in this distribution are derived from code on the second
-BSD networking tape, which was derived from Sun's RPCSRC 4.0 code, and
-from Sun's TIRPC (transport-independent rpc) distribution. 
-
-The code compiles fine with SunOS 4.1.x, Ultrix 4.x, HP-UX 9.x, AIX 3.x
-and AIX 4.x, and Digital UNIX (OSF/1). See the notes in the Makefile.
-
-Solaris 2.x (and other true System V.4 clones) use a different program
-called rpcbind. I have written a replacement for that program, too.
-The primary achive is ftp.win.tue.nl:/pub/security/rpcbind_xx.tar.Z.
-
-Installation
-------------
-
-(1) Follow the instructions in the Makefile, then build the portmap and
-auxiliary executables.
-
-(2) Before killing the present portmap process, save the present
-portmapper tables using the command:
-
-	./pmap_dump >table
-
-If you kill the portmap process without saving its tables you will have
-to reboot the machine.
-
-Note: the information in the portmap tables is dynamic: For example, it
-will be different after each reboot. On a Sun, it even changes each
-time a windowing system is started that uses the selection service.
-
-(3) Kill the running portmap process and start the new portmap
-program.  Then (still as root) initialize the portmap tables with:
-
-	./pmap_set <table
-
-(4) If you get error messages of the form: "not registered: xxxx",
-disable the CHECK_PORT feature in the Makefile, remove pmap_check.o and
-rebuild the portmap program.  Then proceed with step 3.
-
-If the portmapper complains that it cannot find all machine interfaces
-you will have to rebuild it with -DHAS_SA_LEN set (see Makefile). You
-can test this with the "from_local" command (to build: make from_local).
-
-In order to revert to the original portmap daemon, kill off the running
-one, restart the original portmapper and reload its tables using the
-"pmap_set" command as shown above.
-
-Access control:
----------------
-
-By default, host access control is enabled. However, the host that runs
-the portmapper is always considered authorized. The host access control
-tables are never consulted with requests from the local system itself;
-they are always consulted with requests from other hosts.
-
-In order to avoid deadlocks, the portmap program does not attempt to
-look up the remote host name or user name, nor will it try to match NIS
-netgroups. The upshot of all this is that only network number patterns
-will work for portmap access control.
-
-Sample entries for the host access-control files are:
-
-    /etc/hosts.allow:
-	portmap: your.sub.net.number/your.sub.net.mask
-	portmap: 255.255.255.255 0.0.0.0
-
-    /etc/hosts.deny
-	portmap: ALL: (/some/where/safe_finger -l @%h | mail root) &
-
-The syntax of the access-control files is described in the
-hosts_access.5 manual page that comes with the tcp wrapper (log_tcp)
-sources.  The safe_finger command comes with later wrapper releases.
-
-The first line in the hosts.allow file permits access from all systems
-within your own subnet. Some rpc services rely on broadcasts and will
-contact your portmapper anyway; and once an intruder has access to your
-local network segment you're already in deep trouble.
-
-The second line in the hosts.allow file may be needed if there are
-any PC-NFS systems on your network segment.
-
-For security reasons, the portmap process drops root privilegs after
-initialization. The access control files should therefore be readable
-for group or world.
-
-Testing:
---------
-
-Normally, only rejected requests will be reported via the syslog
-daemon.  Logging is done in a child process, in order to avoid
-possible deadlock in case the logging code needs assistance from
-the portmapper.
-
-By default, the portmapper will be utterly silent. In fact, the portmap
-daemon is not consulted that often. Sending a SIGINT signal to the
-portmap process will enable the logging of all requests. 
-
-Another way to enable verbose logging is to start the daemon with the
-"-v" option. See above, steps (2) and later, on how to stop and restart
-the portmapper without having to reboot.
-
-Warning:  with some HP-UX and AIX versions, when verbose logging is on,
-the system fills up with zombie processes. This can be fixed by
-compiling with -DIGNORE_SIGCHLD (see instructions in the Makefile).
-
-With verbose logging turned on, requests such as "ypcat" or "rpcinfo
--p" should show up with log file entries such as:
-
- MMM dd hh:mm:ss hostname portmap[pid]: connect from x.x.x.x to getport(ypserv)
- MMM dd hh:mm:ss hostname portmap[pid]: connect from y.y.y.y to dump()	
-
-Send SIGINT to the portmapper to turn the verbose logging off.
-
-Acknowledgements
-----------------
-
-Casper H.S. Dik (casper@fwi.uva.nl) provided valuable information on
-RPC security and tested an intermediate version of the portmapper with
-SunOS 4.1.2.  Lyford D. Rich (rich@ece.nps.navy.mil) was helpful with
-porting the daemon to Ultrix 3.x. Lionel Cons (cons@dxcern.cern.ch)
-solved the HP-UX problem. Fabrice Gonton (Fabrice.Gonton@sagem.fr)
-figured out how to make the program work on AIX 4.1, and Michael
-Matthews took care of the DEC Alpha platform.
-
-	Wietse Venema (wietse@wzv.win.tue.nl)
-	Mathematics and Computing Science
-	Eindhoven University of Technology
-	The Netherlands
diff --git a/README.5 b/README.5
new file mode 100644
index 0000000..c2b0c0b
--- /dev/null
+++ b/README.5
@@ -0,0 +1,214 @@
+@(#) README 1.7 96/07/06 23:06:19
+
+This is the README file for the 5th enhanced portmapper release.
+
+Description
+-----------
+
+This README describes a replacement portmapper that prevents theft of
+NIS (YP), NFS, and other sensitive information via the portmapper.  As
+an option, the program supports access control in the style of the tcp
+wrapper (log_tcp) package.
+
+Like all portmappers, this one is intended to be started at boot time.
+Daemons that offer RPC services tell the portmapper on what port they
+listen. Unlike the well-known services registered with the inetd, RPC
+network port numbers may change each time the system is booted.
+Whenever a client wants to use an RPC service it is supposed to first
+ask the portmapper on what port the corresponding daemon is listening.
+The rpcinfo command can tell you what RPC services your system offers.
+
+As described in the features section below, the replacement portmapper
+can prevent undesirable client-server interactions.  In some cases,
+better or equivalent alternatives are available:
+
+    The SunOS portmap that is provided with patch id 100482-02 should
+    close the same security holes.  In addition, it provides an YPSERV
+    daemon with its own access control list. This is better than just
+    portmapper access control.
+
+    The "securelib" shared library (eecs.nwu.edu:/pub/securelib.tar)
+    implements access control for all kinds of (RPC) services, not
+    just the portmapper.
+
+However, vendors still ship portmap implementations that allow anyone
+to read or modify its tables and that will happily forward any request
+so that it appears to come from the local system.
+
+Features
+--------
+
+- optional: host access control. The local host is always considered
+authorized. Access control requires the libwrap.a library that comes
+with recent tcp wrapper (log_tcp) implementations.
+
+- requests to change the portmap tables are accepted only when they
+come from the local system.
+
+- optional: requests to (un)register services that listen on privileged
+ports (port < 1024) are accepted only when the requests themselves come
+from a privileged port. This feature is optional because of older RPC
+implementations.
+
+- requests that are forwarded by the portmapper will be forwarded
+through an unprivileged port.
+
+- the portmapper refuses to forward requests to rpc daemons that do (or
+should) verify the origin of each request: when the portmapper forwards
+a request it appears to come from the local machine. At present, the
+portmapper refuses to forward all RPC calls to itself, and most RPC
+calls to the NFS mountd/nfsd daemons, and to the NIS daemons.
+
+- the really desperate can harden the portmapper even more by requiring
+that requests to modify its tables arrive via the loopback network
+interface, instead of via the primary network interface that every host
+can talk to. The cost is high: besides changes to the portmapper, this
+requires changes to system libraries, to statically-linked rpc servers,
+to the kernel to disable IP source routing, and perhaps even to system
+startup procedures.  Don't do this unless you're desperate.  Details
+are given in the Makefile.
+
+Restrictions
+------------
+
+Limiting access to the portmapper does not protect you from direct
+attacks on the rpc daemons; the main task of portmap is to maintain a
+table of available RPC services and of the network ports that they are
+listening on. The securelib can be used to protect individual RPC
+daemons, and the latest SunOS portmap+NIS fix already protects the NIS
+daemons and implements limited forwarding.
+
+On the other hand, even though a portmapper with access control only
+makes an attack more difficult, it still provides an excellent early
+warning system.
+
+Origin and portability
+----------------------
+
+The sources in this distribution are derived from code on the second
+BSD networking tape, which was derived from Sun's RPCSRC 4.0 code, and
+from Sun's TIRPC (transport-independent rpc) distribution. 
+
+The code compiles fine with SunOS 4.1.x, Ultrix 4.x, HP-UX 9.x, AIX 3.x
+and AIX 4.x, and Digital UNIX (OSF/1). See the notes in the Makefile.
+
+Solaris 2.x (and other true System V.4 clones) use a different program
+called rpcbind. I have written a replacement for that program, too.
+The primary achive is ftp.win.tue.nl:/pub/security/rpcbind_xx.tar.Z.
+
+Installation
+------------
+
+(1) Follow the instructions in the Makefile, then build the portmap and
+auxiliary executables.
+
+(2) Before killing the present portmap process, save the present
+portmapper tables using the command:
+
+	./pmap_dump >table
+
+If you kill the portmap process without saving its tables you will have
+to reboot the machine.
+
+Note: the information in the portmap tables is dynamic: For example, it
+will be different after each reboot. On a Sun, it even changes each
+time a windowing system is started that uses the selection service.
+
+(3) Kill the running portmap process and start the new portmap
+program.  Then (still as root) initialize the portmap tables with:
+
+	./pmap_set <table
+
+(4) If you get error messages of the form: "not registered: xxxx",
+disable the CHECK_PORT feature in the Makefile, remove pmap_check.o and
+rebuild the portmap program.  Then proceed with step 3.
+
+If the portmapper complains that it cannot find all machine interfaces
+you will have to rebuild it with -DHAS_SA_LEN set (see Makefile). You
+can test this with the "from_local" command (to build: make from_local).
+
+In order to revert to the original portmap daemon, kill off the running
+one, restart the original portmapper and reload its tables using the
+"pmap_set" command as shown above.
+
+Access control:
+---------------
+
+By default, host access control is enabled. However, the host that runs
+the portmapper is always considered authorized. The host access control
+tables are never consulted with requests from the local system itself;
+they are always consulted with requests from other hosts.
+
+In order to avoid deadlocks, the portmap program does not attempt to
+look up the remote host name or user name, nor will it try to match NIS
+netgroups. The upshot of all this is that only network number patterns
+will work for portmap access control.
+
+Sample entries for the host access-control files are:
+
+    /etc/hosts.allow:
+	portmap: your.sub.net.number/your.sub.net.mask
+	portmap: 255.255.255.255 0.0.0.0
+
+    /etc/hosts.deny
+	portmap: ALL: (/some/where/safe_finger -l @%h | mail root) &
+
+The syntax of the access-control files is described in the
+hosts_access.5 manual page that comes with the tcp wrapper (log_tcp)
+sources.  The safe_finger command comes with later wrapper releases.
+
+The first line in the hosts.allow file permits access from all systems
+within your own subnet. Some rpc services rely on broadcasts and will
+contact your portmapper anyway; and once an intruder has access to your
+local network segment you're already in deep trouble.
+
+The second line in the hosts.allow file may be needed if there are
+any PC-NFS systems on your network segment.
+
+For security reasons, the portmap process drops root privilegs after
+initialization. The access control files should therefore be readable
+for group or world.
+
+Testing:
+--------
+
+Normally, only rejected requests will be reported via the syslog
+daemon.  Logging is done in a child process, in order to avoid
+possible deadlock in case the logging code needs assistance from
+the portmapper.
+
+By default, the portmapper will be utterly silent. In fact, the portmap
+daemon is not consulted that often. Sending a SIGINT signal to the
+portmap process will enable the logging of all requests. 
+
+Another way to enable verbose logging is to start the daemon with the
+"-v" option. See above, steps (2) and later, on how to stop and restart
+the portmapper without having to reboot.
+
+Warning:  with some HP-UX and AIX versions, when verbose logging is on,
+the system fills up with zombie processes. This can be fixed by
+compiling with -DIGNORE_SIGCHLD (see instructions in the Makefile).
+
+With verbose logging turned on, requests such as "ypcat" or "rpcinfo
+-p" should show up with log file entries such as:
+
+ MMM dd hh:mm:ss hostname portmap[pid]: connect from x.x.x.x to getport(ypserv)
+ MMM dd hh:mm:ss hostname portmap[pid]: connect from y.y.y.y to dump()	
+
+Send SIGINT to the portmapper to turn the verbose logging off.
+
+Acknowledgements
+----------------
+
+Casper H.S. Dik (casper@fwi.uva.nl) provided valuable information on
+RPC security and tested an intermediate version of the portmapper with
+SunOS 4.1.2.  Lyford D. Rich (rich@ece.nps.navy.mil) was helpful with
+porting the daemon to Ultrix 3.x. Lionel Cons (cons@dxcern.cern.ch)
+solved the HP-UX problem. Fabrice Gonton (Fabrice.Gonton@sagem.fr)
+figured out how to make the program work on AIX 4.1, and Michael
+Matthews took care of the DEC Alpha platform.
+
+	Wietse Venema (wietse@wzv.win.tue.nl)
+	Mathematics and Computing Science
+	Eindhoven University of Technology
+	The Netherlands
diff --git a/portmap.8 b/portmap.8
index 39e07cd..4c92cac 100644
--- a/portmap.8
+++ b/portmap.8
@@ -49,6 +49,7 @@ program number mapper
 .Op Fl f
 .Op Fl t Ar dir
 .Op Fl v
+.Op Fl V
 .Op Fl i Ar address
 .Op Fl l
 .Op Fl u Ar uid
@@ -102,6 +103,8 @@ currently active services.
 .Pp
 Options available:
 .Bl -tag -width Ds
+.It Fl V
+Display version number and exit.
 .It Fl d
 (debug) prevents
 .Nm portmap
diff --git a/portmap.c b/portmap.c
index 7ad4734..2a98881 100644
--- a/portmap.c
+++ b/portmap.c
@@ -184,9 +184,13 @@ main(int argc, char **argv)
 	int foreground = 0;
 	int have_uid = 0;
 
-	while ((c = getopt(argc, argv, "dflt:vi:u:g:")) != EOF) {
+	while ((c = getopt(argc, argv, "Vdflt:vi:u:g:")) != EOF) {
 		switch (c) {
 
+		case 'V':
+			printf("portmap version 6.0 - 2007-May-11\n");
+			exit(1);
+
 		case 'u':
 			daemon_uid = atoi(optarg);
 			if (daemon_uid <= 0) {
-- 
2.39.5