The Remote Procedure Call (RPC) mechanism provides a way for network services to communicate and make procedure calls on remote systems. When a new RPC service is started, it registers with rpcbind, the central RPC service agent. The rpcbind maintains a table of RPC services (listed by program number) and the network addresses on which they listen for clients to connect. A client will first communicate with the rpcbind service to determine the network address it must use in order to contact a particular RPC service. Current RPC services can be listed using the rpcinfo command, which communicates with the rpcbind service.
RPC services are used in many UNIX services including: NFS, NIS, NIS+, and Kerberos. RPC services are used by many applications such as Solstice DiskSuite™ software, Sun™ Cluster software, and others.
When an RPC service is started, the service tells the rpcbind daemon the address where it is listening and the RPC program numbers it is prepared to serve. When a client wants to make an RPC call to a given program number, it first contacts the rpcbind daemon on the server machine to determine the address where RPC requests should be sent. The rpcinfo command can be used to determine what RPC services are registered on a host.
RPC, by itself, can be used to provide an attacker with information about a system. While this may not be ideal, the real security problem is not the rpcbind daemon itself, but rather many of the services that use RPC. Many of these services do not make use of the stronger authentication mechanisms available to them and default to weak authentication. In particular, rpc.cmsd, sadmind (running without -S 2), and rpc.rexd use weak authentication by default. Network-based attacks against these services pose a significant threat to the security of a server.
The daemons and services that use RPC on a Solaris OE system are the following.
On almost all servers, the RPC services in /etc/inetd.conf can be removed. Many applications that use RPC services add additional entries to the /etc/inetd.conf in addition to using one of the RPC-based daemons. The RPC services in /etc/inetd.conf should be removed unless specifically required.
The RPC daemons started in /etc/rc2.d and /etc/rc3.d are for rpcbind, keyserv, and various naming services (for example, NIS and NIS+), and are used by both the client and server components of NFS. The keyservdaemon must be run when AUTH_DESis used for stronger host and user authentication. The use of NIS is not recommended due to its weak security models. NIS+ provides a much more robust security model.
The RPC protocol provides support for various authentication alternatives. These include:
AUTH_NONE No authentication
AUTH_SYS or AUTH_UNIX Traditional UNIX-style authentication
AUTH_DES DES encryption-based authentication
AUTH_KERB Kerberos encryption-based authentication
Some RPC daemons and services provide options for an administrator to specify the security model (for example, NFS, sadmind, and NIS+) while others do not. If RPC must be used, then only those services and daemons that provide support for AUTH_DES should be used. This combination of RPC and AUTH_DES authentication is called Secure RPC. See "Related Resources" on page 39 for additional references to Secure RPC.