Better defaults in /etc/hosts.allow, /etc/hosts.deny? (was Re: Fam mustn't depend on portmap (was Re: new portmap packages, testers wanted))

[Nathanael Nerode <neroden@twcny.rr.com>]

Javier Fernández-Sanguino Peña wrote:
> On Wed, Jan 21, 2004 at 01:02:57AM -0500, Nathanael Nerode wrote:
>
> > Henning Makholm wriote:
> >
> > > Has to? Unless portmap itself contains exploitable security holes,
> > > there's nothing secret about the information it exports, is there?
> >
> > No.  But I was certainly under the impression that it had contained remotely 
> > exploitable security holes in the past.  So...
>
>
> Well "in the past" can be anything from 1 year ago to 10 years ago, in any 
> case this I was pretty sure I had read this before... yep... it's right 
> there hidden in bug #81118, looks like the start of a flame war.
>
> /me looks for popcorn around
>
> In any case, why don't we, instead of worrying about fam, start fixing the
> fact that portmap is 'standard' (which is ok) and starts a network daemon
> which many (desktop) users will not have really a need for.
Quite right, that's the actual issue.

 Why not have a
> medium? debconf question asking if it should be started at all....  or have
> a default 'portmap: LOCAL' (in /etc/hosts.allow) and 'portmap: ALL' (in
> /etc/hosts.deny) [1]. If the later [2] this could be done for some other
> rpc services (rpc.statd, rpc.usersd, rpc.walld) which users might have
> installed in a standard installation....
Actually this is a good idea and would be a general improvement to 
Debian.  Changing the subject to discuss this.  :-)

> Just my 2c.
Yours are always worth much more.  ;-)

> Javi
>
>
> [1] Obviously, as long as #101627 is closed, which seems to be (but has not 
> yet been closed) 
> [2] A third alternative means having it listen only on loopback, but 
> see #112239