Date: Tue, 31 Jul 2001 20:58:00 -0700 From: "Derek C." <coffee@blarg.net> To: Robert Watson <rwatson@FreeBSD.ORG>, arch@FreeBSD.ORG Cc: stable@FreeBSD.ORG Subject: Re: Patch to modify default inetd.conf, have sysinstall prompt to edit , inetd.conf Message-ID: <5.1.0.14.0.20010731205702.00b183d0@mail.blarg.net> In-Reply-To: <Pine.NEB.3.96L.1010731233839.54921B-200000@fledge.watson.o rg>
next in thread | previous in thread | raw e-mail | index | archive | help
Well, I am a fairly typical uninformed/idiot user, who is getting better
every day, and I say the documentation is great, and the patch is a great idea.
Derek
At 08:48 PM 7/31/2001, Robert Watson wrote:
>One of the observations that has been made fairly frequently to me is that
>the current default inetd.conf puts many FreeBSD users at risk
>unnecessarily, as many of them have moved to using SSH for remote access
>needs. In particular in light of the recent ftpd and telnetd security
>bugs, it seems like 4.4-RELEASE would be a good time to move to a more
>conservative default of having both of these services disabled in the base
>install, as both NetBSD and OpenBSD have moved to doing.
>
>The attached patch modifies inetd.conf to disable all services by default,
>and expands on the comments in the header so as to be more instructive
>concerning enabling and disabling services. It also modifies sysinstall
>such that enabling inetd in the post-install configuration describes inetd
>more than previously, mentions the risks, and then also presents the
>opportunity to edit inetd.conf if inetd is enabled. Also, during the
>normal install, the user is automatically prompted to enable or disable
>inetd in much the same style as the NFS server.
>
>I believe this addresses concerns about enabling remote telnetd login
>during install, which was one of the primary reasons to leave it enabled
>by default. Note that this does not disable the installation of the
>necessary software, merely disable it by default, so users can enable them
>again easily by modifying inetd.conf, either with the help of sysinstall,
>or manually. These changes select a safe default, but hopefully offer the
>necessary flexibility for users needing the services specifically.
>
>I've gotten reviews on content and configurability from Warner Losh, Chris
>Costello, and Jake Burkholder. Assuming no one seriously objects (or only
>a small number of people do), I'll commit to -CURRENT within a day or so,
>and MFC (pending RE approval) shortly there-after. Clearly, it would be
>desirable to have this in as many of the release snapshots as possible.
>
>Here, for the patch-impaired, are a couple of excerpts from sysinstall, so
>that language can be evaluated for readability and comprehensibility for
>more novice users:
>
>x x [ ] Gateway This machine will route packets between interfaces
>x x [X] inetd This machine wants to run the inet daemon
>x x [X] NFS client This machine will be an NFS client
>
>x xlqqqqqqqqqqqqqqqqqqqqq User Confirmation Requested
>qqqqqqqqqqqqqqqqqqqqqkx x
>x xx The Internet Super Server (inetd) allows a number of simple Internet xx x
>x xx services to be enabled, including finger, ftp, and telnetd. Enabling
>xx x
>x xx these services may increase risk of security problems by increasing xx x
>x xx the exposure of your system. xx x
>x xx xx x
>x xx With this in mind, do you wish to enable inetd?
>xx x x xx
>xx x x
>xtqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqux x
>x xx [ Yes ] No xx x
>
>
>x xlqqqqqqqqqqqqqqqqqqqqq User Confirmation Requested
>qqqqqqqqqqqqqqqqqqqqqkx x
>x xx Inetd relies on its configuration file, /etc/inetd.conf, to determine
>xx x
>x xx which Internet services will be available. The default FreeBSD xx x
>x xx inetd.conf leaves all services disabled by default, so they must be xx x
>x xx specifically enabled in the configuration file before they will xx x
>x xx function, even once inetd is enabled. xx x
>x xx xx x
>x xx Select [Yes] now to invoke an editor on /etc/inetd.conf, or [No] to xx x
>x xx use the current settings. xx x
>x xx xx x
>x
>xtqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqux x
>
>? usr.sbin/sysinstall/keymap.h
>? usr.sbin/sysinstall/rtermcap
>? usr.sbin/sysinstall/makedevs.c
>? usr.sbin/sysinstall/sysinstall
>? usr.sbin/sysinstall/sysinstall.8.gz
>Index: usr.sbin/sysinstall/config.c
>===================================================================
>RCS file: /home/ncvs/src/usr.sbin/sysinstall/config.c,v
>retrieving revision 1.183
>diff -u -r1.183 config.c
>--- usr.sbin/sysinstall/config.c 2001/07/17 04:09:50 1.183
>+++ usr.sbin/sysinstall/config.c 2001/08/01 03:34:59
>@@ -955,6 +955,38 @@
> }
>
> int
>+configInetd(dialogMenuItem *self)
>+{
>+ char cmd[256];
>+
>+ WINDOW *w = savescr();
>+
>+ if (msgYesNo("The Internet Super Server (inetd) allows a number of
>simple Internet\n"
>+ "services to be enabled, including finger, ftp, and
>telnetd. Enabling\n"
>+ "these services may increase risk of security problems
>by increasing\n"
>+ "the exposure of your system.\n\n"
>+ "With this in mind, do you wish to enable inetd?\n")) {
>+ variable_set2("inetd_enable", "NO", 1);
>+ } else {
>+ /* If inetd is enabled, we'll need an inetd.conf */
>+
>+ if (!msgYesNo("inetd(8) relies on its configuration file,
>/etc/inetd.conf, to determine\n"
>+ "which Internet services will be available. The
>default FreeBSD\n"
>+ "inetd.conf(5) leaves all services disabled by
>default, so they must be\n"
>+ "specifically enabled in the configuration file before
>they will\n"
>+ "function, even once inetd(8) is enabled.\n\n"
>+ "Select [Yes] now to invoke an editor on
>/etc/inetd.conf, or [No] to\n"
>+ "use the current settings.\n")) {
>+ sprintf(cmd, "%s /etc/inetd.conf", variable_get(VAR_EDITOR));
>+ dialog_clear();
>+ systemExecute(cmd);
>+ variable_set2("inetd_enable", "YES", 1);
>+ }
>+ }
>+ restorescr(w);
>+}
>+
>+int
> configNFSServer(dialogMenuItem *self)
> {
> char cmd[256];
>Index: usr.sbin/sysinstall/dispatch.c
>===================================================================
>RCS file: /home/ncvs/src/usr.sbin/sysinstall/dispatch.c,v
>retrieving revision 1.38
>diff -u -r1.38 dispatch.c
>--- usr.sbin/sysinstall/dispatch.c 2001/07/05 09:51:09 1.38
>+++ usr.sbin/sysinstall/dispatch.c 2001/08/01 03:35:05
>@@ -52,6 +52,7 @@
> } resWords[] = {
> { "configAnonFTP", configAnonFTP },
> { "configRouter", configRouter },
>+ { "configInetd", configInetd },
> { "configNFSServer", configNFSServer },
> { "configNTP", configNTP },
> { "configPCNFSD", configPCNFSD },
>Index: usr.sbin/sysinstall/install.c
>===================================================================
>RCS file: /home/ncvs/src/usr.sbin/sysinstall/install.c,v
>retrieving revision 1.300
>diff -u -r1.300 install.c
>--- usr.sbin/sysinstall/install.c 2001/07/17 04:09:50 1.300
>+++ usr.sbin/sysinstall/install.c 2001/08/01 03:35:18
>@@ -573,6 +573,10 @@
> variable_set2("gateway_enable", "YES", 1);
>
> dialog_clear_norefresh();
>+ if (!msgNoYes("Do you want to configure inetd and simple internet
>services?"))
>+ configInetd(self);
>+
>+ dialog_clear_norefresh();
> if (!msgNoYes("Do you want to have anonymous FTP access to this
> machine?"))
> configAnonFTP(self);
>
>Index: usr.sbin/sysinstall/menus.c
>===================================================================
>RCS file: /home/ncvs/src/usr.sbin/sysinstall/menus.c,v
>retrieving revision 1.310
>diff -u -r1.310 menus.c
>--- usr.sbin/sysinstall/menus.c 2001/07/31 21:30:57 1.310
>+++ usr.sbin/sysinstall/menus.c 2001/08/01 03:35:53
>@@ -235,6 +235,7 @@
> { " FTP sites", "The FTP mirror site
> listing.", NULL, dmenuSubmenu, NULL, &MenuMediaFTP },
> { " Gateway", "Set flag to route packets between
> interfaces.", dmenuVarCheck, dmenuToggleVariable, NULL, "gateway=YES" },
> { " HTML Docs", "The HTML documentation
> menu", NULL, docBrowser },
>+ { " inetd Configuration", "Configure inetd and simple
>internet services.", dmenuVarCheck, configInetd, NULL,
>"inetd_enable=YES" },
> { " Install, Standard", "A standard system
> installation.", NULL, installStandard },
> { " Install, Express", "An express system
> installation.", NULL, installExpress },
> { " Install, Custom", "The custom installation
> menu", NULL, dmenuSubmenu, NULL, &MenuInstallCustom },
>@@ -1332,7 +1333,7 @@
> { " Gateway", "This machine will route packets between interfaces",
> dmenuVarCheck, dmenuToggleVariable, NULL, "gateway_enable=YES" },
> { " inetd", "This machine wants to run the inet daemon",
>- dmenuVarCheck, dmenuToggleVariable, NULL, "inetd_enable=YES" },
>+ dmenuVarCheck, configInetd, NULL, "inetd_enable=YES" },
> { " NFS client", "This machine will be an NFS client",
> dmenuVarCheck, dmenuToggleVariable, NULL, "nfs_client_enable=YES" },
> { " NFS server", "This machine will be an NFS server",
>Index: usr.sbin/sysinstall/sysinstall.h
>===================================================================
>RCS file: /home/ncvs/src/usr.sbin/sysinstall/sysinstall.h,v
>retrieving revision 1.209
>diff -u -r1.209 sysinstall.h
>--- usr.sbin/sysinstall/sysinstall.h 2001/07/17 04:09:50 1.209
>+++ usr.sbin/sysinstall/sysinstall.h 2001/08/01 03:36:06
>@@ -447,6 +447,7 @@
> extern int configXDesktop(dialogMenuItem *self);
> extern int configRouter(dialogMenuItem *self);
> extern int configPCNFSD(dialogMenuItem *self);
>+extern int configInetd(dialogMenuItem *self);
> extern int configNFSServer(dialogMenuItem *self);
> extern int configWriteRC_conf(dialogMenuItem *self);
> extern int configSecurityProfile(dialogMenuItem *self);
>Index: etc/inetd.conf
>===================================================================
>RCS file: /home/ncvs/src/etc/inetd.conf,v
>retrieving revision 1.48
>diff -u -r1.48 inetd.conf
>--- etc/inetd.conf 2001/03/30 10:25:40 1.48
>+++ etc/inetd.conf 2001/08/01 03:36:10
>@@ -2,12 +2,14 @@
> #
> # Internet server configuration database
> #
>-# define *both* IPv4 and IPv6 entries for dual-stack support.
>+# Define *both* IPv4 and IPv6 entries for dual-stack support.
>+# To disable a service, comment it out by prefixing the line with '#'.
>+# To enable a service, remove the '#' at the beginning of the line.
> #
>-ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l
>-ftp stream tcp6 nowait root /usr/libexec/ftpd ftpd -l
>-telnet stream tcp nowait root /usr/libexec/telnetd telnetd
>-telnet stream tcp6 nowait root /usr/libexec/telnetd telnetd
>+#ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l
>+#ftp stream tcp6 nowait root /usr/libexec/ftpd ftpd -l
>+#telnet stream tcp nowait root /usr/libexec/telnetd
>telnetd
>+#telnet stream tcp6 nowait root /usr/libexec/telnetd
>telnetd
> #shell stream tcp nowait root /usr/libexec/rshd rshd
> #shell stream tcp6 nowait root /usr/libexec/rshd rshd
> #login stream tcp nowait root /usr/libexec/rlogind rlogind
>@@ -17,10 +19,13 @@
> #exec stream tcp nowait root /usr/libexec/rexecd rexecd
> #uucpd stream tcp nowait root /usr/libexec/uucpd uucpd
> #nntp stream tcp nowait usenet /usr/libexec/nntpd nntpd
>+#
> # run comsat as root to be able to print partial mailbox contents w/ biff,
> # or use the safer tty:tty to just print that new mail has been received.
>-comsat dgram udp wait tty:tty /usr/libexec/comsat comsat
>-ntalk dgram udp wait tty:tty /usr/libexec/ntalkd ntalkd
>+#comsat dgram udp wait tty:tty /usr/libexec/comsat comsat
>+#
>+# ntalk is required for the 'talk' utility to work correctly
>+#ntalk dgram udp wait tty:tty /usr/libexec/ntalkd ntalkd
> #tftp dgram udp wait nobody /usr/libexec/tftpd tftpd
> /tftpboot
> #bootps dgram udp wait root /usr/libexec/bootpd
> bootpd
> #
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.0.20010731205702.00b183d0>