[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Better defaults in /etc/hosts.allow, /etc/hosts.deny? (was Re: Fam mustn't depend on portmap (was Re: new portmap packages, testers wanted))

Javier Fernández-Sanguino Peña wrote:
On Wed, Jan 21, 2004 at 01:02:57AM -0500, Nathanael Nerode wrote:

Henning Makholm wriote:

Has to? Unless portmap itself contains exploitable security holes,
there's nothing secret about the information it exports, is there?

No. But I was certainly under the impression that it had contained remotely exploitable security holes in the past. So...

Well "in the past" can be anything from 1 year ago to 10 years ago, in any case this I was pretty sure I had read this before... yep... it's right there hidden in bug #81118, looks like the start of a flame war.

/me looks for popcorn around

In any case, why don't we, instead of worrying about fam, start fixing the
fact that portmap is 'standard' (which is ok) and starts a network daemon
which many (desktop) users will not have really a need for.
Quite right, that's the actual issue.

 Why not have a
medium? debconf question asking if it should be started at all....  or have
a default 'portmap: LOCAL' (in /etc/hosts.allow) and 'portmap: ALL' (in
/etc/hosts.deny) [1]. If the later [2] this could be done for some other
rpc services (rpc.statd, rpc.usersd, rpc.walld) which users might have
installed in a standard installation....
Actually this is a good idea and would be a general improvement to Debian. Changing the subject to discuss this. :-)

Just my 2c.
Yours are always worth much more.  ;-)


[1] Obviously, as long as #101627 is closed, which seems to be (but has not yet been closed) [2] A third alternative means having it listen only on loopback, but see #112239

Reply to: