19991214: rpc.ldmd

>From: Tom Rink <address@hidden>
>Organization: .
>Keywords: 199912142057.NAA12376

>
>Hello,
>
>Our head of Systems Administration here at SSEC says that giving
>rpc.ldmd setuid root permissions is a security risk.  He's 
>curious why this is necessary.
>
>Thanks,
>
>^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^
>Tom Rink                                             address@hidden
>Space Science and Engineering Center         Univ. of Wisconsin-Madison
>Phone: 608-263-7494
>

Tom,

rpc.ldmd uses the assigned port 388, and needs to have root permission
to use this priviledged port number. That is all the setuid is used for
and after making that connection, the program lowers itself to the
LDM user. This allows the LDM to be run as a non-priviledged user
so that data files created on the system etc are owned by the user.

By default, downstream LDM servers will look to port 388 on your
machine for data. This configuration generally makes negotiating
firewalls to other sites manageable by allowing per-ip connnections to
that dedicated port.

We do not recommend running the LDM as the root user. This would give
control of programs like data decoders and files root permission.

If the rpc.ldmd program is not given setuid, and is not run as the root
user, then the program will obtain a non-priviledged port from the
portmapper at runtime (in the range >1024). This means that sites
downstream will not find your LDM running on port 388. As a result,
they will have to have access to SUNrpc (port 111) to find out
which port your server is running on (prognum 300029). Some
sites feel that exposing port 111 is a security risk. Since the
port that LDM is running on is determined at runtime by the portmapper,
you will not know beforehand which port the LDM will be running on,
so your firewall will have to allow for the non-priviledged ports
to be acessible.

Steve Chiswell