From owner-freebsd-security  Wed Dec 23 22:06:08 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id WAA14793
          for freebsd-security-outgoing; Wed, 23 Dec 1998 22:06:08 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from fledge.watson.org (FLEDGE.RES.CMU.EDU [128.2.93.229])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA14785
          for <freebsd-security@FreeBSD.ORG>; Wed, 23 Dec 1998 22:06:06 -0800 (PST)
          (envelope-from robert@cyrus.watson.org)
Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.8.8/8.8.8) with SMTP id BAA28515;
	Thu, 24 Dec 1998 01:05:52 -0500 (EST)
Date: Thu, 24 Dec 1998 01:05:51 -0500 (EST)
From: Robert Watson <robert@cyrus.watson.org>
X-Sender: robert@fledge.watson.org
Reply-To: Robert Watson <robert+freebsd@cyrus.watson.org>
To: Barrett Richardson <brich@aye.net>
cc: freebsd-security@FreeBSD.ORG
Subject: Re: Do I really need inetd?
In-Reply-To: <Pine.BSF.3.96.981224000443.29305A-100000@phoenix.aye.net>
Message-ID: <Pine.BSF.3.96.981224010109.28486B-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu, 24 Dec 1998, Barrett Richardson wrote:

> I have all my necessary network services running as daemons. In the
> face of recent discoveries of problems caused for inetd by nmap
> and various things I've come to the conclusion that I really don't
> need inetd -- another variable I can eliminated from the mix.
> 
> Any undesirable side effects come to mind?

Some daemons are more secure when running under inetd (they don't require
privilege to bind a low port number under inetd).  Inetd provides a good
point to put wrappers for additional auditing and access control not
supported by all daemons.  Inetd also provides some limited anti-DOS
capabilities.

Example:

fingerd does not require privileged access when run from inetd, as inetd
will pass connections onto it from the <1024 port 79.  But if you run it
without inetd, it will require root access initially to acquire the
listening socket.

Arguably, this is an issue with the capability design, but inetd provides
an adequate solution in the case of a service like fingerd.  If you only
run daemons that require privilege anyway, then inetd indeed just adds
another variable--on the other hand, it can be an organizing variable that
makes the machine easier to manage and audit.  Additional source code can
always be interpretted as additional risk, but this risk seems well
calculated in most cases.  To close down all network services, I'd rather
just kill inetd than hunt down pid's for other daemons :-). 

  Robert N Watson 

robert@fledge.watson.org              http://www.watson.org/~robert/
PGP key fingerprint: 03 01 DD 8E 15 67 48 73  25 6D 10 FC EC 68 C1 1C

Carnegie Mellon University            http://www.cmu.edu/
TIS Labs at Network Associates, Inc.  http://www.tis.com/
SafePort Network Services             http://www.safeport.com/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message