Path: utzoo!attcan!uunet!seismo!sundc!pitstop!sun!ingersoll!sxn
From: sxn%ingersoll@Sun.COM (Stephen X. Nahm)
Newsgroups: comp.unix.wizards
Subject: Re: RPC == setuid procedure call?
Message-ID: <65410@sun.uucp>
Date: 23 Aug 88 23:08:20 GMT
References: <6890@umn-cs.cs.umn.edu>
Sender: news@sun.uucp
Reply-To: sxn@sun.UUCP (Stephen X. Nahm)
Organization: Sun Microsystems, Mountain View
Lines: 28
Distribution:

In article <6890@umn-cs.cs.umn.edu> randy@umn-cs.UUCP (Randy Orrison) writes:
>It seems to me that if the RPC server is running as uid root, and you make an
>RPC to it, it should be able to do things for you, as root.  Is there a
>problem with this?  (Other than the obvious one of validating the caller
>for what he wants done!)

... and that's what the authentication information is for.

It's up to the server to determine whether the client is authorized to request
that one of the server's procedures be executed.  AUTH_NONE and AUTH_UNIX both
provide little assurance to the server that the client is authentic, because
these authentication modes do not have verifiers.  AUTH_DES, which was
introduced in SunOS 4.0, does have a verifier, and gives the server much
better assurance that the client is genuine.

Also, the source of Sun's RPC library is available free of cost.  As a
network applications developer, you could "roll your own" authentication
mechanism, and use this for your server.

>Is this difficulty severe enough that only root should be allowed to make
>RPCs to a RPC server running as root?

It depends on your application and operating environment.  There are many
useful functions that can be safely provided by a root server, even in a
nonsecure environment.  It's up to you, as the network applications developer,
to make this judgement.

Steve Nahm                              sxn@sun.COM or sun!sxn