On Sun, Jan 21, 2001 at 08:15:42AM -0800, Erik Hollensbe wrote: > > I'm sure I missed a few details, but be kind :) > > Basically, I'm having a hard time understanding why the portmapper, rpc.*, > etc, (especially NFS) are default installed and in runlevel 2. they are installed yes, but NFS is not actually run unless you have something in your /etc/exports. check the initscript and see for yourself. nfs-common however does get run regardless of nfs exports or nfs mounts. perhaps nfs-common's initscript should check for exports in /etc/exports and nfs filesystems in /etc/fstab, if none are found then don't start? iirc from my last potato install these are the only rpc services installed by default. inetd howver had several of its internal services running by default. portmap on its own cannot compromised to get root, at least not directly. portmap changes uid to daemon (not gid though). > As I'm sure we all know, these are primary attack points for our > (not-so) friendly skript kiddies... In fact, I had to rebuild a server > once because I (stupidly) put a default proxy live on the @home network, > which, is notorious for this kind of behavior. After he flooded efnet from > my ip, I make this mistake no more :) well you should also track security.debian.org, regularly. > My bigger point is though, is that even though I caught it after the fact, > a lot of people do not understand what these services do, and probably > never touch it. I'm sure a lot of users new to debian and/or unix and > linux feel similar or just aren't paying attention. unfortunatly these are often the type of users to like to choose `install everything' options in redhat style installers, so even if redhat didn't install and start nfsd and everything else by default the user would have installed them anyway... > Personally, I would prefer that no suid binaries that serve as daemons are > installed at default. Most people can apt-get sendmail and whathaveyou, > and sshd asks if you want it set, etc. And I think I can safely say that > most users aren't using NFS these days anyways. i am not so sure about that, NFS is still very useful. but i would personally not mind having to apt-get install nfs-kernel-server nfs-common to get NFS going. but see above, i think its possible to install nfs but not have any of it running unless its actually being used. as for asking to be started, in some cases that is useful, but most of the time i prefer the package not ask. if im installing it i think i want to be running it! (ssh is an exception since in order to install the ssh client you must install the ssh daemon. and there are of course some daemons needing sysadmin configuration first) > This may not be an issue with certain pre-defined install sets, but, it's > still something to think about. nfs-common and nfs-kernel-server are priority standard, which means dselect will select them for installtion by default when you first run it. (i think tasksel in woody now also installs priority standard by default) personally i like priority standard installed, it makes for a useful reasonably complete unix command line host, as its intended. -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgpBmIVu6lN9W.pgp
Description: PGP signature