[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#81118: base: Wishlist: High security base system (or separate add-on package)



On Thu, Jan 04, 2001 at 10:40:46AM +0100, Christian Kurz wrote:
> 
> Hm, what about changing the postinst of telnetd so, that I ask the admin
> who installs debian or the package, if he really wants to activate
> telnetd or not? 

either that or downgrade telnetd to another priority.

> > nfsd and nfs-common are also standard, but nfs-kernel-server's
> > initscript won't start the daemons if /etc/exports contains no
> 
> So that means that this security risk is not by default opened.

correct for nfsd, not for rpc.statd though.

> > exports.  nfs-common and portmap are started by default though.  (and
> > statd had a nice root hole recently) 
> 
> And I think we don't need a running portmap as default for all installed
> system. I think we should also modify this postinst-script to ask the
> user if he really needs a running portmap or not and have it per default
> turn portmap off.

well in unstable portmap is now a seperate package so possibly its
priority could be lowered so the admin would have to install it.  (or
it would be installed when a service requiring portmap is installed
since they must depend on it)  this would require downgrading the
priority on nfs-common (and thus nfsd) along with any other standard
package requiring portmap.  i don't know what the politics of that
would be.  (more then likely a big flamewar where all propronants are
called incompetant morons)

> I don't know any software that relies on this internal services of
> inetd. I think they should be turned off by default, so that if someone
> still needs one of this services has to explicitly turn them on.

fwiw i agree.  

-- 
Ethan Benson
http://www.alaska.net/~erbenson/

Attachment: pgpF75nqHWK8I.pgp
Description: PGP signature


Reply to: