From owner-freebsd-stable Tue Jul 31 20:56: 5 2001 Delivered-To: freebsd-stable@freebsd.org Received: from lists.blarg.net (lists.blarg.net [206.124.128.17]) by hub.freebsd.org (Postfix) with ESMTP id A005437B403; Tue, 31 Jul 2001 20:55:34 -0700 (PDT) (envelope-from coffee@blarg.net) Received: from thig.blarg.net (thig.blarg.net [206.124.128.18]) by lists.blarg.net (Postfix) with ESMTP id 95489BCFC; Tue, 31 Jul 2001 20:55:11 -0700 (PDT) Received: from paco.blarg.net (paco.fatburrito.com [206.124.139.210]) by thig.blarg.net (8.9.3/8.9.3) with ESMTP id UAA21452; Tue, 31 Jul 2001 20:55:10 -0700 Message-Id: <5.1.0.14.0.20010731205702.00b183d0@mail.blarg.net> X-Sender: coffee@mail.blarg.net X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Tue, 31 Jul 2001 20:58:00 -0700 To: Robert Watson , arch@FreeBSD.ORG From: "Derek C." Subject: Re: Patch to modify default inetd.conf, have sysinstall prompt to edit , inetd.conf Cc: stable@FreeBSD.ORG In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Well, I am a fairly typical uninformed/idiot user, who is getting better every day, and I say the documentation is great, and the patch is a great idea. Derek At 08:48 PM 7/31/2001, Robert Watson wrote: >One of the observations that has been made fairly frequently to me is that >the current default inetd.conf puts many FreeBSD users at risk >unnecessarily, as many of them have moved to using SSH for remote access >needs. In particular in light of the recent ftpd and telnetd security >bugs, it seems like 4.4-RELEASE would be a good time to move to a more >conservative default of having both of these services disabled in the base >install, as both NetBSD and OpenBSD have moved to doing. > >The attached patch modifies inetd.conf to disable all services by default, >and expands on the comments in the header so as to be more instructive >concerning enabling and disabling services. It also modifies sysinstall >such that enabling inetd in the post-install configuration describes inetd >more than previously, mentions the risks, and then also presents the >opportunity to edit inetd.conf if inetd is enabled. Also, during the >normal install, the user is automatically prompted to enable or disable >inetd in much the same style as the NFS server. > >I believe this addresses concerns about enabling remote telnetd login >during install, which was one of the primary reasons to leave it enabled >by default. Note that this does not disable the installation of the >necessary software, merely disable it by default, so users can enable them >again easily by modifying inetd.conf, either with the help of sysinstall, >or manually. These changes select a safe default, but hopefully offer the >necessary flexibility for users needing the services specifically. > >I've gotten reviews on content and configurability from Warner Losh, Chris >Costello, and Jake Burkholder. Assuming no one seriously objects (or only >a small number of people do), I'll commit to -CURRENT within a day or so, >and MFC (pending RE approval) shortly there-after. Clearly, it would be >desirable to have this in as many of the release snapshots as possible. > >Here, for the patch-impaired, are a couple of excerpts from sysinstall, so >that language can be evaluated for readability and comprehensibility for >more novice users: > >x x [ ] Gateway This machine will route packets between interfaces >x x [X] inetd This machine wants to run the inet daemon >x x [X] NFS client This machine will be an NFS client > >x xlqqqqqqqqqqqqqqqqqqqqq User Confirmation Requested >qqqqqqqqqqqqqqqqqqqqqkx x >x xx The Internet Super Server (inetd) allows a number of simple Internet xx x >x xx services to be enabled, including finger, ftp, and telnetd. Enabling >xx x >x xx these services may increase risk of security problems by increasing xx x >x xx the exposure of your system. xx x >x xx xx x >x xx With this in mind, do you wish to enable inetd? >xx x x xx >xx x x >xtqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqux x >x xx [ Yes ] No xx x > > >x xlqqqqqqqqqqqqqqqqqqqqq User Confirmation Requested >qqqqqqqqqqqqqqqqqqqqqkx x >x xx Inetd relies on its configuration file, /etc/inetd.conf, to determine >xx x >x xx which Internet services will be available. The default FreeBSD xx x >x xx inetd.conf leaves all services disabled by default, so they must be xx x >x xx specifically enabled in the configuration file before they will xx x >x xx function, even once inetd is enabled. xx x >x xx xx x >x xx Select [Yes] now to invoke an editor on /etc/inetd.conf, or [No] to xx x >x xx use the current settings. xx x >x xx xx x >x >xtqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqux x > >? usr.sbin/sysinstall/keymap.h >? usr.sbin/sysinstall/rtermcap >? usr.sbin/sysinstall/makedevs.c >? usr.sbin/sysinstall/sysinstall >? usr.sbin/sysinstall/sysinstall.8.gz >Index: usr.sbin/sysinstall/config.c >=================================================================== >RCS file: /home/ncvs/src/usr.sbin/sysinstall/config.c,v >retrieving revision 1.183 >diff -u -r1.183 config.c >--- usr.sbin/sysinstall/config.c 2001/07/17 04:09:50 1.183 >+++ usr.sbin/sysinstall/config.c 2001/08/01 03:34:59 >@@ -955,6 +955,38 @@ > } > > int >+configInetd(dialogMenuItem *self) >+{ >+ char cmd[256]; >+ >+ WINDOW *w = savescr(); >+ >+ if (msgYesNo("The Internet Super Server (inetd) allows a number of >simple Internet\n" >+ "services to be enabled, including finger, ftp, and >telnetd. Enabling\n" >+ "these services may increase risk of security problems >by increasing\n" >+ "the exposure of your system.\n\n" >+ "With this in mind, do you wish to enable inetd?\n")) { >+ variable_set2("inetd_enable", "NO", 1); >+ } else { >+ /* If inetd is enabled, we'll need an inetd.conf */ >+ >+ if (!msgYesNo("inetd(8) relies on its configuration file, >/etc/inetd.conf, to determine\n" >+ "which Internet services will be available. The >default FreeBSD\n" >+ "inetd.conf(5) leaves all services disabled by >default, so they must be\n" >+ "specifically enabled in the configuration file before >they will\n" >+ "function, even once inetd(8) is enabled.\n\n" >+ "Select [Yes] now to invoke an editor on >/etc/inetd.conf, or [No] to\n" >+ "use the current settings.\n")) { >+ sprintf(cmd, "%s /etc/inetd.conf", variable_get(VAR_EDITOR)); >+ dialog_clear(); >+ systemExecute(cmd); >+ variable_set2("inetd_enable", "YES", 1); >+ } >+ } >+ restorescr(w); >+} >+ >+int > configNFSServer(dialogMenuItem *self) > { > char cmd[256]; >Index: usr.sbin/sysinstall/dispatch.c >=================================================================== >RCS file: /home/ncvs/src/usr.sbin/sysinstall/dispatch.c,v >retrieving revision 1.38 >diff -u -r1.38 dispatch.c >--- usr.sbin/sysinstall/dispatch.c 2001/07/05 09:51:09 1.38 >+++ usr.sbin/sysinstall/dispatch.c 2001/08/01 03:35:05 >@@ -52,6 +52,7 @@ > } resWords[] = { > { "configAnonFTP", configAnonFTP }, > { "configRouter", configRouter }, >+ { "configInetd", configInetd }, > { "configNFSServer", configNFSServer }, > { "configNTP", configNTP }, > { "configPCNFSD", configPCNFSD }, >Index: usr.sbin/sysinstall/install.c >=================================================================== >RCS file: /home/ncvs/src/usr.sbin/sysinstall/install.c,v >retrieving revision 1.300 >diff -u -r1.300 install.c >--- usr.sbin/sysinstall/install.c 2001/07/17 04:09:50 1.300 >+++ usr.sbin/sysinstall/install.c 2001/08/01 03:35:18 >@@ -573,6 +573,10 @@ > variable_set2("gateway_enable", "YES", 1); > > dialog_clear_norefresh(); >+ if (!msgNoYes("Do you want to configure inetd and simple internet >services?")) >+ configInetd(self); >+ >+ dialog_clear_norefresh(); > if (!msgNoYes("Do you want to have anonymous FTP access to this > machine?")) > configAnonFTP(self); > >Index: usr.sbin/sysinstall/menus.c >=================================================================== >RCS file: /home/ncvs/src/usr.sbin/sysinstall/menus.c,v >retrieving revision 1.310 >diff -u -r1.310 menus.c >--- usr.sbin/sysinstall/menus.c 2001/07/31 21:30:57 1.310 >+++ usr.sbin/sysinstall/menus.c 2001/08/01 03:35:53 >@@ -235,6 +235,7 @@ > { " FTP sites", "The FTP mirror site > listing.", NULL, dmenuSubmenu, NULL, &MenuMediaFTP }, > { " Gateway", "Set flag to route packets between > interfaces.", dmenuVarCheck, dmenuToggleVariable, NULL, "gateway=YES" }, > { " HTML Docs", "The HTML documentation > menu", NULL, docBrowser }, >+ { " inetd Configuration", "Configure inetd and simple >internet services.", dmenuVarCheck, configInetd, NULL, >"inetd_enable=YES" }, > { " Install, Standard", "A standard system > installation.", NULL, installStandard }, > { " Install, Express", "An express system > installation.", NULL, installExpress }, > { " Install, Custom", "The custom installation > menu", NULL, dmenuSubmenu, NULL, &MenuInstallCustom }, >@@ -1332,7 +1333,7 @@ > { " Gateway", "This machine will route packets between interfaces", > dmenuVarCheck, dmenuToggleVariable, NULL, "gateway_enable=YES" }, > { " inetd", "This machine wants to run the inet daemon", >- dmenuVarCheck, dmenuToggleVariable, NULL, "inetd_enable=YES" }, >+ dmenuVarCheck, configInetd, NULL, "inetd_enable=YES" }, > { " NFS client", "This machine will be an NFS client", > dmenuVarCheck, dmenuToggleVariable, NULL, "nfs_client_enable=YES" }, > { " NFS server", "This machine will be an NFS server", >Index: usr.sbin/sysinstall/sysinstall.h >=================================================================== >RCS file: /home/ncvs/src/usr.sbin/sysinstall/sysinstall.h,v >retrieving revision 1.209 >diff -u -r1.209 sysinstall.h >--- usr.sbin/sysinstall/sysinstall.h 2001/07/17 04:09:50 1.209 >+++ usr.sbin/sysinstall/sysinstall.h 2001/08/01 03:36:06 >@@ -447,6 +447,7 @@ > extern int configXDesktop(dialogMenuItem *self); > extern int configRouter(dialogMenuItem *self); > extern int configPCNFSD(dialogMenuItem *self); >+extern int configInetd(dialogMenuItem *self); > extern int configNFSServer(dialogMenuItem *self); > extern int configWriteRC_conf(dialogMenuItem *self); > extern int configSecurityProfile(dialogMenuItem *self); >Index: etc/inetd.conf >=================================================================== >RCS file: /home/ncvs/src/etc/inetd.conf,v >retrieving revision 1.48 >diff -u -r1.48 inetd.conf >--- etc/inetd.conf 2001/03/30 10:25:40 1.48 >+++ etc/inetd.conf 2001/08/01 03:36:10 >@@ -2,12 +2,14 @@ > # > # Internet server configuration database > # >-# define *both* IPv4 and IPv6 entries for dual-stack support. >+# Define *both* IPv4 and IPv6 entries for dual-stack support. >+# To disable a service, comment it out by prefixing the line with '#'. >+# To enable a service, remove the '#' at the beginning of the line. > # >-ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l >-ftp stream tcp6 nowait root /usr/libexec/ftpd ftpd -l >-telnet stream tcp nowait root /usr/libexec/telnetd telnetd >-telnet stream tcp6 nowait root /usr/libexec/telnetd telnetd >+#ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l >+#ftp stream tcp6 nowait root /usr/libexec/ftpd ftpd -l >+#telnet stream tcp nowait root /usr/libexec/telnetd >telnetd >+#telnet stream tcp6 nowait root /usr/libexec/telnetd >telnetd > #shell stream tcp nowait root /usr/libexec/rshd rshd > #shell stream tcp6 nowait root /usr/libexec/rshd rshd > #login stream tcp nowait root /usr/libexec/rlogind rlogind >@@ -17,10 +19,13 @@ > #exec stream tcp nowait root /usr/libexec/rexecd rexecd > #uucpd stream tcp nowait root /usr/libexec/uucpd uucpd > #nntp stream tcp nowait usenet /usr/libexec/nntpd nntpd >+# > # run comsat as root to be able to print partial mailbox contents w/ biff, > # or use the safer tty:tty to just print that new mail has been received. >-comsat dgram udp wait tty:tty /usr/libexec/comsat comsat >-ntalk dgram udp wait tty:tty /usr/libexec/ntalkd ntalkd >+#comsat dgram udp wait tty:tty /usr/libexec/comsat comsat >+# >+# ntalk is required for the 'talk' utility to work correctly >+#ntalk dgram udp wait tty:tty /usr/libexec/ntalkd ntalkd > #tftp dgram udp wait nobody /usr/libexec/tftpd tftpd > /tftpboot > #bootps dgram udp wait root /usr/libexec/bootpd > bootpd > # To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message