I ran nmap against one of my solaris 10 server and noticed rpc port 111 is on
I want to disable rpcbind to close that port, but I need to make sure it does not
break anything. To do that, I have to find out which process(es) or service(s) are
depending on rpcbind as a required service. If rpcbind is optional for a service,
then rpcbind is not needed to run.
Since Solaris 10 uses SMF to start all my services it should be pretty easy to find
out about those dependencies.
Ok so lets find out which SMF service (FMRI) starts rpcbind. The contract id of a
process is assigned by the FMRI. So I just have to map the svc to the process
based on the contract id (ctid)
Lets find the ctid (contract id) of process rpcbind
(root)@solaris:~# ps -eo ctid,ppid,args | grep rpcbind
48 1 /usr/sbin/rpcbind
Ok, so ctid is 48 for process rpcbind
Lets find out which svc has the same contract id
(root)@solaris:~# svcs -a -v | grep online | grep 48
online - 15:16:07 48 svc:/network/rpc/bind:default
There we go. So FMRI rpc/bind:default started rpcbind
Lets find out which svcs are depending on rpcbind
(root)@solaris:~# svcs -D rpc/bind | grep online
online 15:16:08 svc:/system/filesystem/autofs:default
online 15:16:09 svc:/network/inetd:default
online 15:16:11 svc:/system/fmd:default
online 15:16:15 svc:/milestone/multi-user:default
online 15:16:17 svc:/network/rpc/gss:default
online 15:16:17 svc:/network/rpc/smserver:default
online 15:16:17 svc:/network/rpc/cde-ttdbserver:tcp
online 15:16:17 svc:/network/rpc/cde-calendar-manager:default
online 15:16:17 svc:/system/filesystem/volfs:default
So the above 9 svcs are depending on rpcbind. However there are
two types of dependencies. Required and Optional.
If any svc is optionally depending on rpcbind then it will still run (start) even
when rpcbind is not running.
So lets find out which svcs require rpcbind and which do not to run/start
I am going to loop through all the dependent services with a quick one-liner to get my answer
(root)@solaris:~# svcs -D rpc/bind | grep online | awk '{print $NF}' | while read s junk; do echo -n "$s => "; svcs -l $s | grep rpc/bind | sed 's/dependency//' ; done
svc:/system/filesystem/autofs:default => require_all/restart svc:/network/rpc/bind (online)
svc:/network/inetd:default => optional_all/error svc:/network/rpc/bind (online)
svc:/system/fmd:default => optional_all/none svc:/network/rpc/bind (online)
svc:/milestone/multi-user:default => optional_all/none svc:/network/rpc/bind (online)
svc:/network/rpc/gss:default => require_all/restart svc:/network/rpc/bind (online)
svc:/network/rpc/smserver:default => require_all/restart svc:/network/rpc/bind (online)
svc:/network/rpc/cde-ttdbserver:tcp => require_all/restart svc:/network/rpc/bind (online)
svc:/network/rpc/cde-calendar-manager:default => require_all/restart svc:/network/rpc/bind (online)
svc:/system/filesystem/volfs:default => require_all/restart svc:/network/rpc/bind (online)
So looks like following three services do not need rpcbind run, hence optional
online 15:16:09 svc:/network/inetd:default
online 15:16:11 svc:/system/fmd:default
online 15:16:15 svc:/milestone/multi-user:default
And the following svcs require rpcbind to run to start
online 16:26:21 svc:/system/filesystem/autofs:default
online 16:26:31 svc:/network/rpc/gss:default
online 16:26:31 svc:/network/rpc/smserver:default
online 16:26:32 svc:/network/rpc/cde-ttdbserver:tcp
online 16:26:32 svc:/network/rpc/cde-calendar-manager:default
online 16:26:32 svc:/system/filesystem/volfs:default
So we cannot turnoff rpcbind yet.
Let’s see if we need the svcs themselves, that requiring rpcbind to run, is necessary
to run or not
If we can find out these svcs are not necessary to run, then there will be no
reason for the rpcbind to run either.
We are going through each of the dependent svcs and see if any svc require
them to run.
So lets start with filesystem/autofs
and so on
(root)@solaris:~# svcs -D filesystem/autofs:default | grep online | awk '{print $NF}' | while read s junk; do echo -n "$s => "; svcs -l $s | grep filesystem/autofs | sed 's/dependency//' ; done
svc:/system/dumpadm:default => optional_all/none svc:/system/filesystem/autofs (online) svc:/network/nfs/client (disabled)
svc:/network/ssh:default => optional_all/none svc:/system/filesystem/autofs (online)
svc:/system/system-log:default => optional_all/none svc:/system/filesystem/autofs (online)
svc:/network/smtp:sendmail => optional_all/none svc:/system/filesystem/autofs (online)
svc:/network/http:cswapache2 => optional_all/error svc:/system/filesystem/autofs:default (online)
svc:/milestone/multi-user:default => optional_all/none svc:/system/filesystem/autofs (online)
Looks like no svc requires filesystem/autofs
. So we can go ahead disable it
(root)@solaris:~# svcadm disable filesystem/autofs
Next svc to test is rpc/gss
(root)@solaris:~# svcs -D rpc/gss | grep online
(root)@solaris:~#
So no online svc depends on rpc/gss
. That means it will go to disable bucket
as well
(root)@solaris:~# svcadm disable rpc/gss
Next svc to test is rpc/smserver
(root)@solaris:~# svcs -D rpc/smserver | grep online | awk '{print $NF}' | while read s junk; do echo -n "$s => "; svcs -l $s | grep rpc/smserver | sed 's/dependency//' ; done
svc:/system/filesystem/volfs:default => require_all/none svc:/network/rpc/smserver (online)
So rpc/smsserver
is required by svc filesystem/volfs
So lets drill down. If filesystem/volfs
is not required by anyone then we can
disable it. Which will let the svc above in the dependency channel to be disabled
as well
(root)@solaris:~# svcs -D filesystem/volfs | grep online
(root)@solaris:~#
Bingo! looks like no svc depends on filesystem/volfs
. So disabling it
(root)@solaris:~# svcadm disable filesystem/volfs
So rpc/smserver
can go away too since the only svc that depends on
it, filesystem/volfs
is just disabled
(root)@solaris:~# svcadm disable rpc/smserver
Next svc that requires rpcbind to run is rpc/cde-ttdbserver
(root)@solaris:~# svcs -D rpc/cde-ttdbserver | grep online
(root)@solaris:~#
So no svc running, that depends on rpc/cde-ttdbserver
. Another candidate
for the disable bucket
(root)@solaris:~# svcadm disable rpc/cde-ttdbserver
Next svc in line is rpc/cde-calendar-manager
(root)@solaris:~# svcs -D rpc/cde-calendar-manager | grep online
(root)@solaris:~#
No svc depends on it, so disabling it too
(root)@solaris:~# svcadm disable rpc/cde-calendar-manager
Now lets re-run the oneliner against rpc/bind
svc again to see if there is still
any svc that is online that requires rcpbind to run
(root)@solaris:~# svcs -D rpc/bind | grep online | awk '{print $NF}' | while read s junk; do echo -n "$s => "; svcs -l $s | grep rpc/bind | sed 's/dependency//' ; done
svc:/network/inetd:default => optional_all/error svc:/network/rpc/bind (online)
svc:/system/fmd:default => optional_all/none svc:/network/rpc/bind (online)
svc:/milestone/multi-user:default => optional_all/none svc:/network/rpc/bind (online)
So looks like there is no online svc, that depends on rpcbind and requires to run.
So we can safely assume that rpcbind can be disabled without hurting the system.
And restarting the system will not change the state.
(root)@solaris:~# svcadm disable rpc/bind