Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: another netinfo security question

nibindd's primary purpose is to be a server for port/tag registrations for the netinfo servers that run on a system. It has a minor role in starting up "netinfod" servers for all NetInfo databases found on the system.

An example will make this a bit more clear: Let's say a system has 3 NetInfo databases in /var/db/netinfo, with tags "local", "network", and "super". When the system boots, nibindd is started by /System/Library/StartupItems/DirectoryServices/DirectoryServices. nibindd checks /var/db/netinfo and starts netinfod servers for each database (xxx.nidb) it finds. Once started, each of these servers registers their TCP and UDP port numbers with nibindd.

nibindd then acts as a port registry: processes wishing to connect to one of the netinfod servers contact nibindd and look up the port numbers registered for the tag they desire. This is the information you can get using the "nidomain -l" command:

tag=super udp=798 tcp=799
tag=network udp=1034 tcp=1034
tag=local udp=1033 tcp=1033

nidbindd also has a pair of UDP and TCP ports. It registers those ports with portmap. You can see those from the command line using "rpcinfo -p" (look for netinfobind):

program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
200100001 1 udp 799 netinfobind
200100001 1 tcp 802 netinfobind
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100005 1 udp 860 mountd
100005 3 udp 860 mountd
100005 1 tcp 861 mountd
100005 3 tcp 861 mountd

We've recently modified the startup scripts, nibindd, and netinfod to act a bit differently if the system only has a "local" domain, and if access to the local domain is not allowed to network hosts. In that case, we don't start nibindd, and netinfod runs in a "stand-alone" mode - it doesn't register its ports with nibindd. It also binds its ports only on the loopback address, so that clients must connect using the loopback address. The local domain uses a fixed port number (1033) so that clients don't need the services of nibindd to contact the local domain.

We've also made it possible to specify what port numbers are used by netinfod for its UDP and TCP ports. To set both, create a "port" property in the root directory with the desired port number as a value, e.g:

nicl -t localhost/network -create / port 9231

To set different TCP and UDP port numbers:

nicl -t localhost/network -create / tcp_port 9231
nicl -t localhost/network -create / udp_port 9232

The Portmap startup script avoids starting portmap (port 111) if there was nothing "exported" from the system. Specifically, we check if there are any NFS exports, if network access is allowed to the local domain, or if any other NetInfo domains are served by the system. If there are no NFS exports, and there is only a local domain which doesn't allow external connections (set via the "trusted_networks" property in the root directory), then we don't start portmap. The startup scripts can be controlled using the NETINFOSERVER and RPCSERVER variables in /etc/hostconfig. See the scripts for how these are used.

All this means that a regular "desktop" system will not run portmap and nibindd, and the ports for the local domain are only accessible from the loopback interface. Server systems that have other NetInfo servers will run portmap and nibindd, since clients will need to access them over the network.

There is a simplifying assumption in this: that systems with NetInfo databases other than "local" intend to make them available over the network. Removing that restriction would require a bit of work in nibindd and some more logic in the startup scripts to decide if portmap was required. Another thing that would be useful would be a command line option for nibindd allowing one to specify its port number(s). Both of these changes would be relatively easy, and are left as an exercise for the developer :-) Seriously, if anyone has the need to do this I'll be happy to help point out where the changes would need to go in nibindd, and would be happy to push the changes back into the netinfo sources.

--
Marc Majka


On Sunday, July 22, 2001, at 05:35 PM, downtime wrote:

does anybody know of any way to keep nibindd from binding to ports without
crippling its functionality?

__________________________________________________________________

Peter Bartoli
Technical Director, Security Analysis Division
SAIC Secure Business Solutions Group
10260 Campus Point Drive, Mailstop B1E, San Diego, CA 92121
voice: (858) 826-5495, fax: (858) 826-5112
__________________________________________________________________
_______________________________________________
darwinos-users mailing list
email@hidden
http://www.lists.apple.com/mailman/listinfo/darwinos-users



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.