Re: portmap (was Re: SECURITY PROBLEM: autofs [all versions])

To: debian-devel@lists.debian.org
Subject: Re: portmap (was Re: SECURITY PROBLEM: autofs [all versions])
From: Anthony Towns <aj@azure.humbug.org.au>
Date: Sat, 8 Jul 2000 00:56:00 +1000
Message-id: <[🔎] 20000708005600.C1637@azure.humbug.org.au>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 3964B791.C492151D@aet-usa.com>; from ccurtis@aet-usa.com on Thu, Jul 06, 2000 at 12:45:05PM -0400
References: <[🔎] 20000705131034.A18926@x8b4e53cd.dhcp.okstate.edu> <[🔎] 39637C9E.F740D61D@aet-usa.com> <[🔎] 20000705182528.R4451@flounder.net> <[🔎] 20000707011257R.dancer@netfort.gr.jp> <[🔎] 3964B791.C492151D@aet-usa.com>

On Thu, Jul 06, 2000 at 12:45:05PM -0400, Christopher W. Curtis wrote:
> The problem with that is that upgrading the package restores the
> symlinks.  Making them K* links preserves them, but then there's
> "symlink clutter"(?).  Not really a big deal, imo, but I guess it hints
> at a larger problem...

What a lot of nonsense.

portmap is in netbase because that's where it's always been. It might
be nice to move it out, but that's not going to happen today, and really
there are a lot more interesting and useful things to worry about.

You have to leave exactly one symlink about for update-rc.d to not
change anything, which, sure, you can call clutter if you're obsessive
compulsive, but in comparison to, say, /usr/doc, or /var/lib/dpkg/info
it's absolutely nothing.

More problematic though, is that netbase and friends not only rerun
update-rc.d on upgrades, but they also restart the service (or run
/etc/init.d/* restart or something similar anyway). So even replacing
all the S* symlinks with K* symlinks, you can still end up with portmap
(or whatever) running when you don't want it. The only correct way to
handle this at the moment is by adding an exit 0 somewhere in your init.d
script. It's ugly, but it works.

A much better solution is possible, but it requires some scripts to be
distributed with dpkg/sysvinit and filerc, and it requires maintainers
to change their calls to /etc/init.d/* restart (or whatever), and some
policy updates to document the new requiremnets. People seem quite happy
to keep complaining about this, but that's been done already, if you
want to do something useful, get the stuff organised make the policy
proposal and generally get a better, working system ready and deployed.

Cheers,
aj, using Christopher's post as a starting point rather than replying
    to it per se.

-- 
Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.

  ``We reject: kings, presidents, and voting.
                 We believe in: rough consensus and working code.''
                                      -- Dave Clark

Attachment: pgpg33wXtAbBL.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: portmap (was Re: SECURITY PROBLEM: autofs [all versions])
  - From: jpb <jpb@creol.ucf.edu>
- Re: portmap (was Re: SECURITY PROBLEM: autofs [all versions])
  - From: Sebastian Rittau <srittau@jroger.in-berlin.de>

References:
- Re: SECURITY PROBLEM: autofs [all versions]
  - From: David Starner <dvdeug@x8b4e53cd.dhcp.okstate.edu>
- Re: SECURITY PROBLEM: autofs [all versions]
  - From: "Christopher W. Curtis" <ccurtis@aet-usa.com>
- Re: SECURITY PROBLEM: autofs [all versions]
  - From: Adam McKenna <adam-debian@flounder.net>
- portmap (was Re: SECURITY PROBLEM: autofs [all versions])
  - From: Junichi Uekawa <dancer@netfort.gr.jp>
- Re: portmap (was Re: SECURITY PROBLEM: autofs [all versions])
  - From: "Christopher W. Curtis" <ccurtis@aet-usa.com>

Prev by Date: Re: Key Signing Coordination Page
Next by Date: Re: portmap (was Re: SECURITY PROBLEM: autofs [all versions])
Previous by thread: Re: portmap (was Re: SECURITY PROBLEM: autofs [all versions])
Next by thread: Re: portmap (was Re: SECURITY PROBLEM: autofs [all versions])
Index(es):
- Date
- Thread