From http://www.securityportal.com/closet/closet20000830.html
] Moving on. Once the basic install is done, you will discover that
] several services are enabled in inetd that shouldn't be. Discard,
] daytime, time, shell, login, and exec (r services) are all enabled by
] default, few of which (none, in my opinion) are needed on modern
] systems.
The former three services aren't security problems in Debian (daytime/udp,
time/udp, and echo/udp would be, but they are specifically *not* enabled).
I find myself shocked and horrified (well, surprised, anyway) that he's
actually right about the latter services being enabled. It appears that
rsh-server is depended upon by rstartd (the preferred alternative to ssh,
according to the dependencies, and hence apt), and rstartd is in the
x-window-system task.
I think we need to fix this in r1 (with a new task-x-window-system
package), and IMO an advisory wouldn't be out of place either. It could've
been avoided in the first place if we'd fixed all the "optional package
depends on extra package" bugs, but we didn't. [0]
The lack of fixes (or, more accurately advisories) for both Netscape
and Xchat are also pointed out.
I'm not really sure what the author wants with regard to partitioning.
Without quotas, or separate partitions for each user, it seems to me
that most parititioning schemes "[don't] help other users much" either.
There might be something worth looking into here, at least.
The remainder of the cited problems are largely either "its a feature
not a bug" issues or just plain wrong, afaict: users' files defaulting
to being public rather than private is certainly how I prefer things,
and MD5 versus crypt passwords; and the author completely neglects to
note that the versions of Apache and ProFTPd distributed by Debian have
the holes he mentions already fixed.
It'd probably be a good idea to send a response correcting some of the
errors; it'd probably be a better idea to make sure the rest are errors
by r1 though.
Cheers,
aj
[0] From http://bugs.debian.org/~wakkerma/unmet.html
rstart Depends optional rsh-client extra
rstart Depends optional rsh-client extra
rstartd Depends optional rsh-server extra
rstartd Depends optional rsh-server extra
There are lots of similar problems with other task packages.
--
Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.
``We reject: kings, presidents, and voting.
We believe in: rough consensus and working code.''
-- Dave Clark
Attachment:
pgp5Kje37JEts.pgp
Description: PGP signature