On Wed, Jan 21, 2004 at 01:02:57AM -0500, Nathanael Nerode wrote: > Henning Makholm wriote: > >Has to? Unless portmap itself contains exploitable security holes, > >there's nothing secret about the information it exports, is there? > > No. But I was certainly under the impression that it had contained remotely > exploitable security holes in the past. So... Well "in the past" can be anything from 1 year ago to 10 years ago, in any case this I was pretty sure I had read this before... yep... it's right there hidden in bug #81118, looks like the start of a flame war. /me looks for popcorn around In any case, why don't we, instead of worrying about fam, start fixing the fact that portmap is 'standard' (which is ok) and starts a network daemon which many (desktop) users will not have really a need for. Why not have a medium? debconf question asking if it should be started at all.... or have a default 'portmap: LOCAL' (in /etc/hosts.allow) and 'portmap: ALL' (in /etc/hosts.deny) [1]. If the later [2] this could be done for some other rpc services (rpc.statd, rpc.usersd, rpc.walld) which users might have installed in a standard installation.... Just my 2c. Javi [1] Obviously, as long as #101627 is closed, which seems to be (but has not yet been closed) [2] A third alternative means having it listen only on loopback, but see #112239
Attachment:
signature.asc
Description: Digital signature