From owner-freebsd-security Tue Jul 28 03:29:52 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA15724 for freebsd-security-outgoing; Tue, 28 Jul 1998 03:29:52 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id DAA15715 for ; Tue, 28 Jul 1998 03:29:45 -0700 (PDT) (envelope-from sthaug@nethelp.no) From: sthaug@nethelp.no Received: (qmail 13881 invoked by uid 1001); 28 Jul 1998 10:27:43 +0000 (GMT) To: andre@pipeline.ch Cc: security@FreeBSD.ORG Subject: Re: FreeBSD Security How-To (Was: QPopper exploit) In-Reply-To: Your message of "Tue, 28 Jul 1998 11:20:30 +0200" References: <35BD97DE.2E242C6E@pipeline.ch> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Tue, 28 Jul 1998 12:27:42 +0200 Message-ID: <13879.901621662@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > I do think that the section on eliminating inetd needs some fleshing out, > > though. Some servers, such as all of the POP3 daemons I've tried, don't > > seem to admit themselves to being run except from inetd. Also, the section > > should discuss the dangers of having a server die without any automatic > > means to resuscitate it. For example, the docs for identd warn against > > running it without inetd, since if it quits it will not be restarted. > > Perhaps a utility that checks for the presence of servers and restarts them > > if they've died could be developed as part of this effort and perhaps added > > to the FreeBSD distribution. > > There's a nice tool called tcpserver avail from DJB (we all love his > coding style): ftp://koobera.math.uic.edu/www/ucspi-tcp.html For those who are interested in high security and in eliminating inetd, I'd recommend Marcus Ranum's simplified inetd. See the enclosed message. Steinar Haug, Nethelp consulting, sthaug@nethelp.no ---------------------------------------------------------------------- From: mjr@tis.com (Marcus J. Ranum) Subject: Re: Frigging inetd!!!! Date: 26 Oct 1993 19:07:53 GMT [I added comp.security.unix to the distribution and dropped the gopher group, since this is really a security rant, and part of an ongoing rant from comp.security.unix] > Why not just get a copy of the source for inetd and rebuild it >for your system? Also, there is a new program called xinetd, which >is supposed to be an augmented inetd that has built in security. I've >got the source code, but I have not had much of a chance to play with >it yet. Here I must insert my mandatory rant about "augmentation" "features" and "security." Xinetd has (presumably) a huge number of features. It's also a relatively huge piece of code. Compare it to the BSD inetd sources: Program Modules Lines of Code ------- ------- ------------- inetd, from BSD Net-2 1 964 xinetd, minus support libraries 36 11801 For a security critical application like inetd, the last thing you want is security at the price of 12 times as much code. Large programs that do security critical things (sendmail, xinetd, wuarchive-ftpd, Xterm) are traditionally a snakepit of security holes. The idea of "built in security" is contrary to most formal security practices. The security critical policy sections should be clearly isolated from the rest of the code that does bookkeeping or whatever else. I enclose below a version of inetd that's 80 lines of code. The security critical section is clearly visible. More importantly, the implementation is small enough that when I showed a copy to a friend, he instantly spotted a bug. It's a lot easier to spot a bug in a 1 page program, than in an 11,801 line program that is 36+ files in 2 directories. Also, this version of inetd is not vulnerable to attacks on inetd.conf since it doesn't use one, and doesn't have any argument limitations on the invoked programs. It doesn't support UDP services, but then, from a security standpoint, UDP services make me all nervous anyhow. Note, too, that the code has only one comment. It's simple enough that it needs no comments. mjr. ------------------------------ #include #include #include #include #include #include reap() { int s; while(wait(&s) != -1); } main(ac,av) int ac; char *av[]; { struct sockaddr_in mya; struct servent *sp; fd_set muf; int myfd, new, x, maxfd = getdtablesize(); openlog("inetd",LOG_PID,LOG_DAEMON); if(ac < 3) { syslog(LOG_ERR,"usage: %s serviceport command [args]",av[0]); exit(1); } signal(SIGCLD,reap); if((myfd = socket(AF_INET,SOCK_STREAM,0)) < 0) { syslog(LOG_ERR,"socket : %m"); exit(1); } mya.sin_family = AF_INET; bzero(&mya.sin_addr,sizeof(mya.sin_addr)); if((sp = getservbyname(av[1],"tcp")) == (struct servent *)0) { if(atoi(av[1]) <= 0) { syslog(LOG_ERR,"Cannot interpret %s as service",av[1]); exit(1); } mya.sin_port = htons(atoi(av[1])); } else mya.sin_port = sp->s_port; if(bind(myfd,(struct sockaddr *)&mya,sizeof(mya))) { syslog(LOG_ERR,"bind: %m"); exit(1); } /* END SECURITY CRITICAL CODE */ /* setuid(4); */ if(listen(myfd,1) < 0) { perror("listen"); exit(1); } loop: FD_ZERO(&muf); FD_SET(myfd,&muf); if(select(myfd + 1,&muf,0,0,0) != 1 || !FD_ISSET(myfd,&muf)) goto loop; if((new = accept(myfd,0,0)) < 0) goto loop; if(fork() == 0) { for(x = 2; x < maxfd; x++) if(x != new) close(x); for(x = 0; x < NSIG; x++) signal(x,SIG_DFL); dup2(new,0); close(new); dup2(0,1); dup2(0,2); execv(av[2],av + 2); syslog(LOG_ERR,"exec %s: %m",av[2]); exit(1); } close(new); goto loop; } To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message