While messing around with ppriv(1m) today, I noticed that rpcbind(1m) was modified to run with reduced privileges in Solaris 10:
$ ps -ef | grep rpc
daemon 1678 1 0 16:11:26 ? 0:00 /usr/sbin/rpcbind
root 22884 13928 0 16:28:39 pts/6 0:00 grep rpc
$ ppriv 1678
1678: /usr/sbin/rpcbind
flags = PRIV_AWARE
E: basic,!file_link_any,net_privaddr,!proc_exec,!proc_info,!proc_session,sys_nfs
I: basic,!file_link_any,!proc_exec,!proc_fork,!proc_info,!proc_session
P: basic,!file_link_any,net_privaddr,!proc_exec,!proc_info,!proc_session,sys_nfs
L: basic,!file_link_any,!proc_exec,!proc_fork,!proc_info,!proc_session
The !proc_exec and !proc_exec privilege settings are super cool (the “!” means a privilege has been revoked). These privilege reductions should reduce the chance of fork()‘ing a process and exec()‘ing shell if a buffer overflow is found in rpcbind (which has historically been a security nightmare).