[klibc] portmap spoofing in nfsmount

H. Peter Anvin hpa at zytor.com
Thu Jun 17 01:41:00 PDT 2004

Hi all,

I have implemented portmap spoofing in klibc nfsmount (released as 
klibc-0.144)  This is basically a vestigial portmap daemon which gets 
launched before the mount() call and then just records any transactions 
it gets to a file and sends back an affirmative reply.

There are two ways to use it (this belongs in a README file, but it's 
too late at night right now):

a) Set a fixed portnumber in /proc/sys/nfs/nlm_tcpport and 
/proc/sys/nfs/nlm_udpport before calling nfsmount; once the portmapper 
starts feed that fixed portnumber to pmap_set(8).  In this case the 
pmap_file can be /dev/null.

b) Allow the kernel to bind to any port and use the file produced by 
nfsroot to feed to pmap_set (it should be directly compatible); this 
means the file needs to be transferred to a place where the "real root" 
can find it before run-init.

To use it:

	nfsroot -p pmap_file -o lock server:/pathname /realpath

In either case, it is imperative that the real portmapper is launched 
before any program tries to create locks!

Please let me know exactly how broken it is; I'm going to bed now.


More information about the klibc mailing list