[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#81118: base: Wishlist: High security base system (or separate add-on package)

On 01-01-04 Ethan Benson wrote:
> On Wed, Jan 03, 2001 at 07:50:58PM +0100, Christian Kurz wrote:
> > > apt-get remove telnetd
> > 
> > Well, why do we have telnet enabled after installation? This is a bit
> > security hole and I think this service should be disabled and only be
> > enabled by the admin.

> because telnetd is priority standard, and with dselect (and tasksel in
> woody i think) all priority standard packages are installed by
> default. (well selected by default in your first dselect session, so
> if you do nothing more then run the select step in dselect and then
> install you get priority: standard).

> $ apt-cache show telnetd
> Package: telnetd
> Priority: standard
> Section: net

Hm, what about changing the postinst of telnetd so, that I ask the admin
who installs debian or the package, if he really wants to activate
telnetd or not? 

> nfsd and nfs-common are also standard, but nfs-kernel-server's
> initscript won't start the daemons if /etc/exports contains no

So that means that this security risk is not by default opened.

> exports.  nfs-common and portmap are started by default though.  (and
> statd had a nice root hole recently) 

And I think we don't need a running portmap as default for all installed
system. I think we should also modify this postinst-script to ask the
user if he really needs a running portmap or not and have it per default
turn portmap off.

> > Hm, there are services in /etc/inetd.conf that are not belonging to any
> > package like daytime, echo and this should be disabled by default.

> agreed these should be off by default. what are these used for that
> makes it necessary for the majority of systems to have them enabled?  

I don't know any software that relies on this internal services of
inetd. I think they should be turned off by default, so that if someone
still needs one of this services has to explicitly turn them on.

          Debian Developer and Quality Assurance Team Member
    1024/26CC7853 31E6 A8CA 68FC 284F 7D16  63EC A9E6 67FF 26CC 7853

Reply to: