Bug 21814
| Summary: | Inetd's very existence is a security risk. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Base System | Reporter: | mwm | ||||
| Component: | conf | Assignee: | freebsd-bugs (Nobody) <bugs> | ||||
| Status: | Closed FIXED | ||||||
| Severity: | Affects Only Me | ||||||
| Priority: | Normal | ||||||
| Version: | 5.0-CURRENT | ||||||
| Hardware: | Any | ||||||
| OS: | Any | ||||||
| Attachments: |
|
||||||
|
Description
mwm
2000-10-07 12:10:00 UTC
On Sat, Oct 07, 2000 at 11:02:03AM -0000, mwm@mired.org wrote: > "make installworld" on your favorite box that doesn't run > inetd, and notice that you get a brand, spanking new copy of > inetd. That's what this is for in /etc/rc.conf: inetd_enable="NO" # Run the network daemon dispatcher (YES/NO). It's only a security risk if you're running it. Kris Kris Kennaway writes:
> On Sat, Oct 07, 2000 at 11:02:03AM -0000, mwm@mired.org wrote:
>
> > "make installworld" on your favorite box that doesn't run
> > inetd, and notice that you get a brand, spanking new copy of
> > inetd.
> That's what this is for in /etc/rc.conf:
> inetd_enable="NO" # Run the network daemon dispatcher (YES/NO).
> It's only a security risk if you're running it.
Didn't really read the PR carefully, did you? The relevant part is:
I always (always, always, always) turn off inetd on any system
that needs to be secured against exposure to the world. I'd
really it rather not be on the system *at all*.
In other words, I *know* how to turn, but I want it gone
completely. The patch makes that much saner. If you don't like that
behavior, don't add NO_INETD to /etc/make.conf.
<mike
Responsible Changed From-To: freebsd-ports->freebsd-bugs Thought I'd argue that this PR doesn't even belong in the system, at the very least it doesn't belong in the ports/* PR section. State Changed From-To: open->closed Any attacker who could run a pre-built inetd binary on your system is well capable of copying his own binary there. Inetd does not have innate privilege. Therefore, there is no conceivable security improvement from disabling it. On Sat, Oct 07, 2000 at 06:42:55AM -0500, Mike Meyer wrote: > Kris Kennaway writes: > > On Sat, Oct 07, 2000 at 11:02:03AM -0000, mwm@mired.org wrote: > > > > > "make installworld" on your favorite box that doesn't run > > > inetd, and notice that you get a brand, spanking new copy of > > > inetd. > > That's what this is for in /etc/rc.conf: > > inetd_enable="NO" # Run the network daemon dispatcher (YES/NO). > > It's only a security risk if you're running it. > > Didn't really read the PR carefully, did you? The relevant part is: > > I always (always, always, always) turn off inetd on any system > that needs to be secured against exposure to the world. I'd > really it rather not be on the system *at all*. > > In other words, I *know* how to turn, but I want it gone > completely. The patch makes that much saner. If you don't like that > behavior, don't add NO_INETD to /etc/make.conf. Well, IMO just not liking something isn't good grounds for yet another build knob. The inetd binary doesnt run with any privileges, it's not causing filesystem bloat, it's not taking up space on the root filesystem, and it's not conflicting with anything else. I think you'll have to provide a better justification of why this would be needed. Kris > <mike |
