ONC RPC has many wondeful features, one of them being that it is that it is possible to do a broadcast RPC call even though services are typically assigned ports dynamically. This is implemented by having the portmapper (the program that registers all the ONC RPC services running on the machine) proxy requests, forwarding them on to the appropriate service and then relaying the answer back.
The actual code for this in the Debian portmapper is:
me.sin_port = htons(port);
client = clntudp_create(&me, a.rmt_prog, a.rmt_vers, timeout, &so);
get_myaddress fills in localhost as the address. This is all well and good until we meet address based access control such as that used by the NIS server typically used on Linux. While the access control it provides works perfectly well when a client accesses the server directly it does mean that when a NIS client broadcasts looking for servers for a domain the access control is completely circumvented. The server sees the reqest come in from localhost, thinks this is a perfectly good request and replies.
Unfortunately, the Linux NIS client doesn’t appear to detect this condition succesfully (I need to have a further dig into the code to see why – at a first glance it should). It should be possible to work around the problem by configuring portmap to also refuse access to clients on the relevant networks, though this would cause trouble for other ONC RPC services that did need to run over those networks.