From owner-freebsd-security  Wed Nov 18 10:58:35 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id KAA19745
          for freebsd-security-outgoing; Wed, 18 Nov 1998 10:58:35 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from rgate.ricochet.net (rgate1.ricochet.net [204.179.143.6])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA19582
          for <freebsd-security@FreeBSD.ORG>; Wed, 18 Nov 1998 10:57:51 -0800 (PST)
          (envelope-from enkhyl@scient.com)
Received: from mg139-159.ricochet.net (mg139-159.ricochet.net [204.179.139.159])
	by rgate.ricochet.net (8.8.8/8.8.8) with ESMTP id MAA17148;
	Wed, 18 Nov 1998 12:57:07 -0600 (CST)
Date: Wed, 18 Nov 1998 10:56:09 -0800 (PST)
From: Christopher Nielsen <enkhyl@scient.com>
X-Sender: enkhyl@ender.sf.scient.com
Reply-To: enkhyl@hayseed.net
To: Garance A Drosihn <drosih@rpi.edu>
cc: William McVey <wam@sa.fedex.com>, freebsd-security@FreeBSD.ORG
Subject: Re: Would this make FreeBSD more secure? & sendmail changes in
 OpenBSD 2.4
In-Reply-To: <v0401170fb2779962d724@[128.113.24.47]>
Message-ID: <Pine.BSF.4.05.9811181053450.413-100000@ender.sf.scient.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Tue, 17 Nov 1998, Garance A Drosihn wrote:

> At 2:14 PM -0600 11/17/98, William McVey wrote:
> >Cliff Skolnick wrote:
> >>  I am more concerned about stand alone daemons like sendmail,
> >>  syslog, apache, etc.
> >
> > Most of these services could easily be modified to start from
> > inetd as wait services.  Basically, inetd does the port binding,
> > setuid-ing, and execing, just like it always does.  As I've
> > mentioned before, sendmail can definitely run in this manner.
> > So could most web servers.
> 
> Seems to me the performance implications for web serving is
> not very attractive.  In my case I just go with a minimalist
> web server (not apache, I think the name is just "thtppd")
> to reduce the security exposure.  (well, it reduces the
> feature set too, of course, but I don't need the missing
> features).

Using 'wait' eliminates the performance problem, since inetd
essentially hands the socket over to the daemon and won't listen
for new connections until it exits.

-- 
Christopher Nielsen
Scient: The eBusiness Systems Innovator
<http://www.scient.com>
cnielsen@scient.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message