Re: rlinetd security

To: jap3003+response@ksu.edu
Cc: "Sami J. Juvonen" <sami@juvonen.org>, debian@stirfried.vegetable.org.uk, "Noah L. Meyerhans" <frodo@morgul.net>, Debian Security List <debian-security@lists.debian.org>
Subject: Re: rlinetd security
From: Dale Southard <southard1@llnl.gov>
Date: 19 Jun 2001 14:57:56 -0700
Message-id: <[🔎] ub6elsgw2sb.fsf@zonker.llnl.gov>
In-reply-to: <[🔎] 20010619162713.B10333@ksu.edu>
References: <[🔎] 20010618134850.G1282@morgul.net> <[🔎] 166780000.992955411@kleenex> <[🔎] 20010619105847.B22841@morgul.net> <[🔎] 86d780wlhc.fsf@potato.vegetable.org.uk> <[🔎] 87y9qo6xmz.fsf@kampela.juvonen.org> <[🔎] ub6n174w5bh.fsf@zonker.llnl.gov> <[🔎] 20010619162713.B10333@ksu.edu>

Actually, your version is a little more complex than the IRIX version.
Under IRIX there are seperate files for each service, rather than a
single file with on/off entries for each service.  In other words
`echo on > /etc/config/xdm` and `chkconfig xdm on` do exactly the same
thing under IRIX.

IRIX sometimes uses multiple chkconfig entries in tne same rc script,
eg turning off `network' also prevents named, nfs, timed, routed, and
lots of other services from starting.  All told there are about 50
chkconfig flags on a normal IRIX install.

Also note that /etc/rc?.d isn't really guaranteed by anything other
than convention.  I can easily write init.d scripts that do the wrong
thing, and updating/reinstalling can put rc?.d symlinks back in (which
is how we got on this subject to begin with).  Under IRIX, the
chkconfig convention is entrenched and works quite well.  Wether or
not it would be a useful addition to Debian is another question....

Joseph Pingenot <jap3003@ksu.edu> writes:

> From Dale Southard on Tuesday, 19 June, 2001:
> Hrm.  That could be rather easy to implement.  The guaranteed
>   way to see if something's going to be started or not, though,
>   is still /etc/rc?.d
> 
> If you want to, you can replace them and create an easy
>   script, such as
> 
> --/sbin/chkdconfig--
> #!/bin/bash
> 
> #returns 1 if daemon is enabled, 0 otherwise.
> 
> if [ -z "$1" ]; then
>   echo "Error: No daemon process specified"
>   exit 0;
> fi
> 
> configfile=/etc/checkdconfig
> line=`grep -i "^$1=" $configfile 2>/dev/null | head -1`
> if [ $? -ne 0 ]; then
>   #No such line existed.  Return 0.
> fi
> 
> setting=`echo $line | sed 's/^.*=//'`;
> setting=`echo $setting | perl -we '$_ = <STDIN>; s/\s+//g; print;'`
> case "$setting" in
>   'on'|'ON'|'On'|'oN'|'yes'|'YES'|'Yes'|'YEs'|'yEs'|'yES'|'yeS'|'1')
>      exit 1
>      ;;
>    *)
>      exit 0
>      ;;
> esac
> exit 0
> --end chkdconfig--
> 
> please, no comments on my perl or bash-scripting (lack of) abilities.  ;)
> All that would then remain is to alter the rc scripts to check chkconfig
>   and to NOT populate it with daemon=value lines.  :)

-- 

/*  Dale Southard Jr.       southard1@llnl.gov        925-422-1463  */
/*  Computer Scientist, Accelerated Strategic Computing Initiative  */
/*  L-550,  Lawrence Livermore National Lab,  Livermore CA   94551  */
/*  AFF/I, SL/I, T/I, D-11216, Sr. Rig --- I'd rather be skydiving  */

Reply to:

Follow-Ups:
- Re: rlinetd security
  - From: Joseph Pingenot <jap3003@ksu.edu>

References:
- Re: rlinetd security
  - From: Noah Meyerhans <noahm@debian.org>
- Re: rlinetd security
  - From: Stuart Krivis <ipswitch@apk.net>
- Re: rlinetd security
  - From: "Noah L. Meyerhans" <frodo@morgul.net>
- Re: rlinetd security
  - From: Tim Haynes <debian@stirfried.vegetable.org.uk>
- Re: rlinetd security
  - From: sami@juvonen.org (Sami J. Juvonen)
- Re: rlinetd security
  - From: Dale Southard <southard1@llnl.gov>
- Re: rlinetd security
  - From: Joseph Pingenot <jap3003@ksu.edu>

Prev by Date: Re: Basic question about ipchains being useful
Next by Date: Re: rlinetd security
Previous by thread: Re: rlinetd security
Next by thread: Re: rlinetd security
Index(es):
- Date
- Thread