Home.... | log in.... | Pub my question! | Sign-up....
Java-index >> General >> Talk to the Sysop

Disabling RPC hoses my Sol 10 host

About a year ago, I successfully installed a Solaris 10 host as a DNS server, and it is humming away on a public internet IP with no firewall, and quite happy. Of course as one of the prerequisites I disabled svc:/network/rpc/bind:default. The server is quite happy with only ports 22 and 53 open.

Back then, disabling RPC only disabled 3 dependent services: nlockmgr, client, and status, none of which I have any business running on this host either.

Now this week I installed two more hosts that will need to be set up in the same way, open to the internet with no firewall, and I disabled RPC, and there are TWENTY FOUR dependent services that won't start, including "multi-user" and "multi-user-server". Huh?!?

I have the same packages more of less installed on the older host, services like multi-user are just fine, with no idiotic dependency on RPC.

Two questions:

1) Is there a way to transport the servicemgr profile from the older machine to the new one?

-OR-

2) How do I eliminate all these dependencies that make no sense?

Thanks -wsanders

svc:/network/rpc/bind:default (RPC bindings)

State: disabled since Tue May 22 14:32:24 2007

Reason: Disabled by an administrator.

See: http://sun.com/msg/SMF-8000-05

See: man -M /usr/share/man -s 1M rpcbind

Impact: 24 dependent services are not running:

svc:/network/rpc/gss:default

svc:/network/nfs/client:default

svc:/milestone/multi-user:default

svc:/milestone/multi-user-server:default

svc:/system/basicreg:default

svc:/system/zones:default

svc:/application/cde-printinfo:default

svc:/network/rpc/rstat:default

svc:/network/rpc/metamed:default

svc:/network/nfs/nlockmgr:default

svc:/network/nfs/status:default

svc:/network/nfs/cbd:default

svc:/network/nfs/mapid:default

svc:/network/rpc/meta:default

svc:/system/mdmonitor:default

svc:/application/management/dmi:default

svc:/network/rpc/cde-ttdbserver:tcp

svc:/network/rpc/metamh:default

svc:/network/rpc/mdcomm:default

svc:/network/rpc/smserver:default

svc:/system/filesystem/volfs:default

svc:/network/rpc/rusers:default

svc:/network/nfs/rquota:default

svc:/network/rpc/cde-calendar-manager:default

[3166 byte] By [wsandersa] at [2007-11-27 5:10:05]
«« Login Hangs using GDM
»» java.lang.NullPointerException
# 1

Removing all the NFS packages and ignoring dependencies shortened the list of RPC dependencies considerably and allows multi-user and multi-user-server to now start:

After removing NFS:

0# svcs -xv

svc:/network/rpc/bind:default (RPC bindings)

State: disabled since Tue May 22 15:28:57 2007

Reason: Disabled by an administrator.

See: http://sun.com/msg/SMF-8000-05

See: man -M /usr/share/man -s 1M rpcbind

Impact: 14 dependent services are not running:

svc:/network/rpc/gss:default

svc:/network/nfs/client:default

svc:/network/rpc/rstat:default

svc:/network/nfs/nlockmgr:default

svc:/network/nfs/status:default

svc:/network/nfs/cbd:default

svc:/network/nfs/mapid:default

svc:/network/rpc/cde-ttdbserver:tcp

svc:/network/rpc/mdcomm:default

svc:/network/rpc/smserver:default

svc:/system/filesystem/volfs:default

svc:/network/rpc/rusers:default

svc:/network/nfs/rquota:default

svc:/network/rpc/cde-calendar-manager:default

wsandersa at 2007-7-12 10:30:04 > top of Java-index,General,Talk to the Sysop...
# 2
smf services get upset if despendecies are in maintainence rather than disabled.So if you disabled all the rpc related stuff, it should have allowed multiuser to start
robert.cohena at 2007-7-12 10:30:04 > top of Java-index,General,Talk to the Sysop...
# 3

Well, the first approach I might take will be to redo my installation profiles to not install so much junk. I based them on the Solaris 8 ones I have used for years, where I install the "Programmer's Cluster", plus or minus a few packages, which gives a reasonable set of stuff, enough to compile the occasional OSS application that depends on a library in X.

The Solaris 10 Programmers Cluster installs much more stuff, there are lots more packages, and there are many circular dependencies among packages. That's OK for a host that is behind a firewall and has a nonroutable IP, but risky for a host fully exposed to the internet.

Mostly, I deploy Linux or BSD on a fully exposed host, they are much easier to harden, but this is an experiment. What is odd is that the Solaris 10 host I installed a year ago was much easier to harden, and I installed virtually the same set of packages with the same post-installation Jumpstart scripts. Only difference is these new hosts have a more recent patch level. Don't know what happened.

Another approach might be to do what I do in Linux, chkconfig off i.e. svcadm disable everything, and then enable just enough stuff to make the system work.

wsandersa at 2007-7-12 10:30:04 > top of Java-index,General,Talk to the Sysop...
# 4

Umm, I suspect if you svcadm disable everything, you'll crash your machine.

Well, maybe not, but it wouldnt be pretty.

Things like filesystem mounting are under smf control.

But yes, you can afford to disable a lot.

I try to disable virtually anything that listens on the network or leaves unnecessary daemons hanging around.

robert.cohena at 2007-7-12 10:30:04 > top of Java-index,General,Talk to the Sysop...
# 5

In the next few weeks, I'll find a Solaris 10 host I can do this experiment on: svcadm disable everything. My guess is it will come up in single user mode. I'll report back.

Single user mode only gives you the third highest possible level of system security, of course, the second highest being when the host is turned off and the highest when the host is physically destroyed.

I have applied the last two measures many times in my role as "Mr. Security Expert".

-w

wsandersa at 2007-7-12 10:30:04 > top of Java-index,General,Talk to the Sysop...
General
Talk to the Sysop

General Hot Topic

General

All Classified