Re: rlinetd security

To: Dale Southard <southard1@llnl.gov>
Cc: "Sami J. Juvonen" <sami@juvonen.org>, debian@stirfried.vegetable.org.uk, "Noah L. Meyerhans" <frodo@morgul.net>, Debian Security List <debian-security@lists.debian.org>
Subject: Re: rlinetd security
From: Joseph Pingenot <jap3003@ksu.edu>
Date: Tue, 19 Jun 2001 17:08:00 -0500
Message-id: <[🔎] 20010619170800.C10333@ksu.edu>
Mail-followup-to: Dale Southard <southard1@llnl.gov>, "Sami J. Juvonen" <sami@juvonen.org>, debian@stirfried.vegetable.org.uk, "Noah L. Meyerhans" <frodo@morgul.net>, Debian Security List <debian-security@lists.debian.org>
Reply-to: jap3003+response@ksu.edu
In-reply-to: RE: [Re: rlinetd security]
References: <[🔎] 20010618134850.G1282@morgul.net> <[🔎] 166780000.992955411@kleenex> <[🔎] 20010619105847.B22841@morgul.net> <[🔎] 86d780wlhc.fsf@potato.vegetable.org.uk> <[🔎] 87y9qo6xmz.fsf@kampela.juvonen.org> <[🔎] ub6n174w5bh.fsf@zonker.llnl.gov> <[🔎] 20010619162713.B10333@ksu.edu> <[🔎] ub6elsgw2sb.fsf@zonker.llnl.gov>

>From Dale Southard on Tuesday, 19 June, 2001:
>Actually, your version is a little more complex than the IRIX version.
>Under IRIX there are seperate files for each service, rather than a
>single file with on/off entries for each service.  In other words
>`echo on > /etc/config/xdm` and `chkconfig xdm on` do exactly the same
>thing under IRIX.

Erm, seems like a waste of disk space to me.  1 block just to say "on"?
  Ah well.

>IRIX sometimes uses multiple chkconfig entries in tne same rc script,
>eg turning off `network' also prevents named, nfs, timed, routed, and
>lots of other services from starting.  All told there are about 50
>chkconfig flags on a normal IRIX install.

Hrm.  I suppose one could add ':depends' after the setting.  e.g.
  daemon=status:dependencies
if you wanted to do the same thing.  That would maybe make it a perl
  script (you could still do it as a sh-script, though).
  I suppose my script shouldn't have relied on perl, though.  Or grep/sed,
  although grep/sed are pretty small and should be included on minimal
  installs.
Then recursively walk through the dependencies, although you would then
  need some way to make sure you weren't going to loop back on yourself,
  causing an infinite loop.  Ah well.

>Also note that /etc/rc?.d isn't really guaranteed by anything other
>than convention.  I can easily write init.d scripts that do the wrong
>thing, and updating/reinstalling can put rc?.d symlinks back in (which
>is how we got on this subject to begin with).  Under IRIX, the
>chkconfig convention is entrenched and works quite well.  Wether or
>not it would be a useful addition to Debian is another question....

Also true.  And you can always go back to /etc/inittab.  :)  I guess
  all these things need to be changed in order to keep security.  Maybe
  a quick little checsec script to do this?  :)

checksec /path/to/daemon

So many options, so much scripting that can be done.  :)

                              -Joseph
-- 
Joseph==============================================jap3003@ksu.edu
"IBM were providing source code in the 1960's under similar terms. 
VMS source code was available under limited licenses to customers 
from the beginning. Microsoft are catching up with 1960."
   --Alan Cox,  http://www2.usermagnet.com/cox/index.html

Reply to:

References:
- Re: rlinetd security
  - From: Noah Meyerhans <noahm@debian.org>
- Re: rlinetd security
  - From: Stuart Krivis <ipswitch@apk.net>
- Re: rlinetd security
  - From: "Noah L. Meyerhans" <frodo@morgul.net>
- Re: rlinetd security
  - From: Tim Haynes <debian@stirfried.vegetable.org.uk>
- Re: rlinetd security
  - From: sami@juvonen.org (Sami J. Juvonen)
- Re: rlinetd security
  - From: Dale Southard <southard1@llnl.gov>
- Re: rlinetd security
  - From: Joseph Pingenot <jap3003@ksu.edu>
- Re: rlinetd security
  - From: Dale Southard <southard1@llnl.gov>

Prev by Date: Re: rlinetd security
Next by Date: Re: rlinetd security
Previous by thread: Re: rlinetd security
Next by thread: Re: rlinetd security
Index(es):
- Date
- Thread