Date: Sat, 30 Sep 2000 16:19:33 +0200 From: Neil Blakey-Milner <nbm@mithrandr.moria.org> To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> Cc: Adam Laurie <adam@algroup.co.uk>, security@FreeBSD.ORG Subject: inetd sucks? (Re: cvs commit: ports/mail/pine4 Makefile (fwd)) Message-ID: <20000930161933.A15519@mithrandr.moria.org> In-Reply-To: <200009301404.e8UE4xU64460@cwsys.cwsent.com>; from Cy.Schubert@uumail.gov.bc.ca on Sat, Sep 30, 2000 at 07:04:49AM -0700 References: <39D5A13C.8AF289BE@algroup.co.uk> <200009301404.e8UE4xU64460@cwsys.cwsent.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat 2000-09-30 (07:04), Cy Schubert - ITSD Open Systems Group wrote: > I had argued with Will Andrews (it was his idea so I cannot take credit > for it) for the removal of insecure protocols like telnet, ftp, and the > "r" commands and services, now that we have OpenSSH and all the > encryption in the base system required to support OpenSSH. This would > have left the individual sysadmin solely responsible for installing > insecure applications and protocols. Will and I were shot down quite > miserably. My first impression when this happened was that I had a > sense > that we had a double standard. > > [ The lesson I learned was that being narrow minded like many on these > mailing lists doesn't convince anyone, it just alienates people. :) > Not that you are, you've made your point nicely. ] There's a difference between getting 'shot down miserably', and having most people say they don't agree with you. One implies it's personal and emotional, and the other implies they don't agree with you. (It didn't help that it sounded like you wanted to remove the telnet binary in the initial submission either, I think.) > Instead, we could comment out in inetd.conf services that the community > has decided are insecure and have the administrator uncomment the > services he/she wishes to use. > > In short, the only conclusion that I can come to that would keep most > everyone happy, and even then some will bitch and complain, is that the > use of options in make.conf and in sysinstall should satisfy both > camps. Be prepared for those who will argue that they don't want to go > through a million options before installing FreeBSD. My answer to them > is that we can't have our cake and eat it too and to have options is > the closest thing we come to having our cake and eating it too. The problem here is that 'telnet' is the LCD, and with the really bad way inetd is configured, it isn't easy to twiddle this bit from sysinstall. We ask about 'ftp' too, and it's sort-of expected to work. The rest, in my opinion, can all be commented out. The alternative (which I'm almost finished working on) is to use a directory + file configuration structure (which I've subsequently found out xinetd uses) which allows sysinstall and other scripts to twiddle services with ease. Neil -- Neil Blakey-Milner Sunesi Clinical Systems nbm@mithrandr.moria.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000930161933.A15519>