Date: Thu, 24 Dec 1998 01:05:51 -0500 (EST) From: Robert Watson <robert@cyrus.watson.org> To: Barrett Richardson <brich@aye.net> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Do I really need inetd? Message-ID: <Pine.BSF.3.96.981224010109.28486B-100000@fledge.watson.org> In-Reply-To: <Pine.BSF.3.96.981224000443.29305A-100000@phoenix.aye.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 24 Dec 1998, Barrett Richardson wrote: > I have all my necessary network services running as daemons. In the > face of recent discoveries of problems caused for inetd by nmap > and various things I've come to the conclusion that I really don't > need inetd -- another variable I can eliminated from the mix. > > Any undesirable side effects come to mind? Some daemons are more secure when running under inetd (they don't require privilege to bind a low port number under inetd). Inetd provides a good point to put wrappers for additional auditing and access control not supported by all daemons. Inetd also provides some limited anti-DOS capabilities. Example: fingerd does not require privileged access when run from inetd, as inetd will pass connections onto it from the <1024 port 79. But if you run it without inetd, it will require root access initially to acquire the listening socket. Arguably, this is an issue with the capability design, but inetd provides an adequate solution in the case of a service like fingerd. If you only run daemons that require privilege anyway, then inetd indeed just adds another variable--on the other hand, it can be an organizing variable that makes the machine easier to manage and audit. Additional source code can always be interpretted as additional risk, but this risk seems well calculated in most cases. To close down all network services, I'd rather just kill inetd than hunt down pid's for other daemons :-). Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: 03 01 DD 8E 15 67 48 73 25 6D 10 FC EC 68 C1 1C Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.981224010109.28486B-100000>