Bug#81118: base: Wishlist: High security base system (or separate add-on package)

To: Ethan Benson <erbenson@alaska.net>
Cc: 81118@bugs.debian.org
Subject: Bug#81118: base: Wishlist: High security base system (or separate add-on package)
From: Christian Kurz <shorty@debian.org>
Date: Thu, 4 Jan 2001 10:40:46 +0100
Message-id: <20010104104046.C18474@bofh.de>
Reply-to: Christian Kurz <shorty@debian.org>, 81118@bugs.debian.org
In-reply-to: <20010104003316.F29805@plato.local.lan>
References: <200101030815.f038Fhb02014@away.lingsoft.fi> <20010103105837.B6915@home.debsupport.de> <20010103195058.F641@seteuid.getuid.de> <20010104003316.F29805@plato.local.lan>

On 01-01-04 Ethan Benson wrote:
> On Wed, Jan 03, 2001 at 07:50:58PM +0100, Christian Kurz wrote:
> > > apt-get remove telnetd
> > 
> > Well, why do we have telnet enabled after installation? This is a bit
> > security hole and I think this service should be disabled and only be
> > enabled by the admin.

> because telnetd is priority standard, and with dselect (and tasksel in
> woody i think) all priority standard packages are installed by
> default. (well selected by default in your first dselect session, so
> if you do nothing more then run the select step in dselect and then
> install you get priority: standard).

> $ apt-cache show telnetd
> Package: telnetd
> Priority: standard
> Section: net

Hm, what about changing the postinst of telnetd so, that I ask the admin
who installs debian or the package, if he really wants to activate
telnetd or not? 

> nfsd and nfs-common are also standard, but nfs-kernel-server's
> initscript won't start the daemons if /etc/exports contains no

So that means that this security risk is not by default opened.

> exports.  nfs-common and portmap are started by default though.  (and
> statd had a nice root hole recently) 

And I think we don't need a running portmap as default for all installed
system. I think we should also modify this postinst-script to ask the
user if he really needs a running portmap or not and have it per default
turn portmap off.

> > Hm, there are services in /etc/inetd.conf that are not belonging to any
> > package like daytime, echo and this should be disabled by default.

> agreed these should be off by default. what are these used for that
> makes it necessary for the majority of systems to have them enabled?  

I don't know any software that relies on this internal services of
inetd. I think they should be turned off by default, so that if someone
still needs one of this services has to explicitly turn them on.

Ciao
     Christian
-- 
          Debian Developer and Quality Assurance Team Member
    1024/26CC7853 31E6 A8CA 68FC 284F 7D16  63EC A9E6 67FF 26CC 7853

Reply to:

Follow-Ups:
- Bug#81118: base: Wishlist: High security base system (or separate add-on package)
  - From: Ethan Benson <erbenson@alaska.net>
- Bug#81118: base: Wishlist: High security base system (or separate add-on package)
  - From: Anthony Towns <aj@azure.humbug.org.au>

References:
- Bug#81118: base: Wishlist: High security base system (or separate add-on package)
  - From: era eriksson <era@iki.fi>
- Bug#81118: base: Wishlist: High security base system (or separate add-on package)
  - From: Michael Bramer <grisu@debian.org>
- Bug#81118: base: Wishlist: High security base system (or separate add-on package)
  - From: Christian Kurz <shorty@debian.org>
- Bug#81118: base: Wishlist: High security base system (or separate add-on package)
  - From: Ethan Benson <erbenson@alaska.net>

Prev by Date: Bug#81118: base: Wishlist: High security base system (or separate add-on package)
Next by Date: Bug#81118: base: Wishlist: High security base system (or separate add-on package)
Previous by thread: Bug#81118: base: Wishlist: High security base system (or separate add-on package)
Next by thread: Bug#81118: base: Wishlist: High security base system (or separate add-on package)
Index(es):
- Date
- Thread