From owner-freebsd-questions@FreeBSD.ORG Sat May 13 01:35:10 2006 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9049816A4AC for ; Sat, 13 May 2006 01:35:10 +0000 (UTC) (envelope-from wmc20@xxiii.com) Received: from imf24aec.mail.bellsouth.net (imf24aec.mail.bellsouth.net [205.152.59.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id ED97843D45 for ; Sat, 13 May 2006 01:35:09 +0000 (GMT) (envelope-from wmc20@xxiii.com) Received: from ibm70aec.bellsouth.net ([68.209.177.221]) by imf24aec.mail.bellsouth.net with ESMTP id <20060513013509.YYVW9063.imf24aec.mail.bellsouth.net@ibm70aec.bellsouth.net> for ; Fri, 12 May 2006 21:35:09 -0400 Received: from wcox.bellsouth.net ([68.209.177.221]) by ibm70aec.bellsouth.net with ESMTP id <20060513013504.NEIV4378.ibm70aec.bellsouth.net@wcox.bellsouth.net>; Fri, 12 May 2006 21:35:04 -0400 Message-Id: <6.2.3.4.2.20060512211215.02e9ee20@mailsvr.xxiii.com> X-Mailer: QUALCOMM Windows Eudora Version 6.2.3.4 Date: Fri, 12 May 2006 21:35:13 -0400 To: Eric Schuele From: wc_fbsd@xxiii.com In-Reply-To: <44652B91.3030509@computer.org> References: <4464B95D.1040702@computer.org> <20060512171515.GC34035@catflap.slightlystrange.org> <4464CEDA.80906@computer.org> <6.0.0.22.2.20060512152402.026a60c8@mail.computinginnovations.com> <6.2.3.4.2.20060512163433.02e85298@mailsvr.xxiii.com> <44652B91.3030509@computer.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freeBSD Questions Subject: Re: Pros and Cons of running under inetd.... X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 May 2006 01:35:12 -0000 At 08:42 PM 5/12/2006, Eric Schuele wrote: >You say tcpwrappers are compiled into ftpd? Are you sure? How can >I "enable" or otherwise use them? If I add things to hosts.allow >they seem to have no influence. This would solve my problem as I >would not need inetd. My Bad. It seems it does not. It's running from inetd on the box I regularly edit hosts.allow on. The performance benefit inetd once offered -- not having a lot of background process for seldom used services -- is not a big deal today. But security-wise, spawning other programs that would just be directly listening on a port otherwise doesn't seem terribly insecure. Could it even be argued beneficial? -- you have a single, simple piece of code accepting the initial connections, instead of 20 processes doing the same thing with 20 different pieces of code, any one of which could have an exploit. If an exploit was conceived that could take advantage lots of programs listening on any old socket, it seems the vulnerability would be lessened, or at least easier to fix. I don't claim to be an expert security guy or OS programmer, but so far I haven't heard an explanation besides "don't do that". -Wayne