0

In doing some testing with the rpcinfo command on CentOS 5.10, I noticed an interesting feature. When running as root, after the connection occurs, viewing the socket table with netstat -natup shows that the source port of the connection is less than 1024; I have seen values as low as 885 and as high as 923. This behavior does not occur if you run as a non-privileged user; your source port in that case is a normal ephemeral port. I am running the version of rpcinfo packaged in the glibc-common-2.5-118.el5_10.2 RPM.

I have also verified this behavior in CentOS 7.0.1406 (rpcinfo packaged in rpcbind-0.2.0-23.el7.x86_64).

My questions:

  1. Does anybody know a reason why this behavior would occur? The rpcinfo command runs just fine from an ephemeral port when run as a non-root user.

  2. Is there any potential security vulnerability to this behavior? My instinct says no, since it only occurs if run as root.

Jeremy Dover
  • 318
  • 1
  • 6

1 Answers1

1

There is a security reason for that. To prevent any user to modify rpc mapping, portmap/rpcbind requires that requests comes from privileged user. By using source port < 1024, rpcinfo can proof that requests send by root.

kofemann
  • 4,308
  • 1
  • 21
  • 27
  • Thanks for the tip! This led me to [this excerpt](http://www.informit.com/articles/article.aspx?p=31734&seqNum=3) from Firewalls and Internet Security: Repelling the Wily Hacker, 2nd Edition, by Bellovin, et al, where there is brief discussion of exactly what you mention. – Jeremy Dover Nov 05 '15 at 11:30