> When rpcbind terminates with a SIGTERM or SIGINT, it will flush the
> current list of registered services to /tmp/portmap.file
> /tmp/rpcbind.file, without checking for symbolic links etc...
> It can then be used to trash any file on the fs.
>
True. I haven't looked into it enough, but it may be possible to
munge the information written enough to look like a valid .rhosts entry.
> Note that this happens only when rpcbind is explicitly killed by root
> with SIGTERM or SIGINT (rebooting or shutdowning won't do it since
> K??rpc sends a SIGKILL signal to rpcbind to prevent this behaviour).
>
Not true. When rpcbind is started in debug mode using the -d flag
and sent a procedure call to which it cannot respond (i.e. client closes
connection before a response is sent), it calls rpcbind_abort() before
dying. rpcbind_abort() calls write_warmstart(), which will write the
warmstart information mentioned above to /tmp/rpcbind.file and
/tmp/portmap.file. But only in debug mode, making this a rather difficult
bug for a cracker to exploit in the Real World.
--
Aaron Bornstein : aaronb at j51 dot com : http://www.j51.com/~aaronb
Fiat Justitia Ruat Caelum