On Mon, Jan 19, 2004 at 04:52:19PM +0100, Josselin Mouette wrote:
> Le lun 19/01/2004 à 15:40, Marco d'Itri a écrit :
> > If you feel that a listening portmap is such an unacceptable security
> > risk then have it accept only connections from localhost by default, and
> > ask admins to configure /etc/hosts.allow (like they are supposed to do
> > anyway).
>
> And then you'll break all installed servers using NFS, NIS and so on
> upon upgrade.
I'd rather see this than the proposed behavior. You can't have it both
ways... either you're trying to protect the desktop moron, or you're trying
to facilitate a server arrangement.
If the stated goal is to protect the desktop moron, then DO IT. Configure
hosts.allow and hosts.deny to allow the portmapper to be protected from
anything other than a local address. An administrator should be smart
enough to set things up properly if he needs something additional.
ANYTHING else is "more fragile".
--
Marc Wilson | "Those who believe in astrology are living in houses
msw@cox.net | with foundations of Silly Putty." - Dennis Rawlins,
| astronomer
Attachment:
signature.asc
Description: Digital signature