Date: Tue, 31 Jul 2001 23:48:34 -0400 (EDT) From: Robert Watson <rwatson@FreeBSD.org> To: arch@FreeBSD.org Cc: stable@FreeBSD.org Subject: Patch to modify default inetd.conf, have sysinstall prompt to edit , inetd.conf Message-ID: <Pine.NEB.3.96L.1010731233839.54921B-200000@fledge.watson.org>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
One of the observations that has been made fairly frequently to me is that
the current default inetd.conf puts many FreeBSD users at risk
unnecessarily, as many of them have moved to using SSH for remote access
needs. In particular in light of the recent ftpd and telnetd security
bugs, it seems like 4.4-RELEASE would be a good time to move to a more
conservative default of having both of these services disabled in the base
install, as both NetBSD and OpenBSD have moved to doing.
The attached patch modifies inetd.conf to disable all services by default,
and expands on the comments in the header so as to be more instructive
concerning enabling and disabling services. It also modifies sysinstall
such that enabling inetd in the post-install configuration describes inetd
more than previously, mentions the risks, and then also presents the
opportunity to edit inetd.conf if inetd is enabled. Also, during the
normal install, the user is automatically prompted to enable or disable
inetd in much the same style as the NFS server.
I believe this addresses concerns about enabling remote telnetd login
during install, which was one of the primary reasons to leave it enabled
by default. Note that this does not disable the installation of the
necessary software, merely disable it by default, so users can enable them
again easily by modifying inetd.conf, either with the help of sysinstall,
or manually. These changes select a safe default, but hopefully offer the
necessary flexibility for users needing the services specifically.
I've gotten reviews on content and configurability from Warner Losh, Chris
Costello, and Jake Burkholder. Assuming no one seriously objects (or only
a small number of people do), I'll commit to -CURRENT within a day or so,
and MFC (pending RE approval) shortly there-after. Clearly, it would be
desirable to have this in as many of the release snapshots as possible.
Here, for the patch-impaired, are a couple of excerpts from sysinstall, so
that language can be evaluated for readability and comprehensibility for
more novice users:
x x [ ] Gateway This machine will route packets between interfaces
x x [X] inetd This machine wants to run the inet daemon
x x [X] NFS client This machine will be an NFS client
x xlqqqqqqqqqqqqqqqqqqqqq User Confirmation Requested qqqqqqqqqqqqqqqqqqqqqkx x
x xx The Internet Super Server (inetd) allows a number of simple Internet xx x
x xx services to be enabled, including finger, ftp, and telnetd. Enabling xx x
x xx these services may increase risk of security problems by increasing xx x
x xx the exposure of your system. xx x
x xx xx x
x xx With this in mind, do you wish to enable inetd?
xx x x xx
xx x x
xtqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqux x
x xx [ Yes ] No xx x
x xlqqqqqqqqqqqqqqqqqqqqq User Confirmation Requested qqqqqqqqqqqqqqqqqqqqqkx x
x xx Inetd relies on its configuration file, /etc/inetd.conf, to determine xx x
x xx which Internet services will be available. The default FreeBSD xx x
x xx inetd.conf leaves all services disabled by default, so they must be xx x
x xx specifically enabled in the configuration file before they will xx x
x xx function, even once inetd is enabled. xx x
x xx xx x
x xx Select [Yes] now to invoke an editor on /etc/inetd.conf, or [No] to xx x
x xx use the current settings. xx x
x xx xx x
x xtqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqux x
[-- Attachment #2 --]
? usr.sbin/sysinstall/keymap.h
? usr.sbin/sysinstall/rtermcap
? usr.sbin/sysinstall/makedevs.c
? usr.sbin/sysinstall/sysinstall
? usr.sbin/sysinstall/sysinstall.8.gz
Index: usr.sbin/sysinstall/config.c
===================================================================
RCS file: /home/ncvs/src/usr.sbin/sysinstall/config.c,v
retrieving revision 1.183
diff -u -r1.183 config.c
--- usr.sbin/sysinstall/config.c 2001/07/17 04:09:50 1.183
+++ usr.sbin/sysinstall/config.c 2001/08/01 03:34:59
@@ -955,6 +955,38 @@
}
int
+configInetd(dialogMenuItem *self)
+{
+ char cmd[256];
+
+ WINDOW *w = savescr();
+
+ if (msgYesNo("The Internet Super Server (inetd) allows a number of simple Internet\n"
+ "services to be enabled, including finger, ftp, and telnetd. Enabling\n"
+ "these services may increase risk of security problems by increasing\n"
+ "the exposure of your system.\n\n"
+ "With this in mind, do you wish to enable inetd?\n")) {
+ variable_set2("inetd_enable", "NO", 1);
+ } else {
+ /* If inetd is enabled, we'll need an inetd.conf */
+
+ if (!msgYesNo("inetd(8) relies on its configuration file, /etc/inetd.conf, to determine\n"
+ "which Internet services will be available. The default FreeBSD\n"
+ "inetd.conf(5) leaves all services disabled by default, so they must be\n"
+ "specifically enabled in the configuration file before they will\n"
+ "function, even once inetd(8) is enabled.\n\n"
+ "Select [Yes] now to invoke an editor on /etc/inetd.conf, or [No] to\n"
+ "use the current settings.\n")) {
+ sprintf(cmd, "%s /etc/inetd.conf", variable_get(VAR_EDITOR));
+ dialog_clear();
+ systemExecute(cmd);
+ variable_set2("inetd_enable", "YES", 1);
+ }
+ }
+ restorescr(w);
+}
+
+int
configNFSServer(dialogMenuItem *self)
{
char cmd[256];
Index: usr.sbin/sysinstall/dispatch.c
===================================================================
RCS file: /home/ncvs/src/usr.sbin/sysinstall/dispatch.c,v
retrieving revision 1.38
diff -u -r1.38 dispatch.c
--- usr.sbin/sysinstall/dispatch.c 2001/07/05 09:51:09 1.38
+++ usr.sbin/sysinstall/dispatch.c 2001/08/01 03:35:05
@@ -52,6 +52,7 @@
} resWords[] = {
{ "configAnonFTP", configAnonFTP },
{ "configRouter", configRouter },
+ { "configInetd", configInetd },
{ "configNFSServer", configNFSServer },
{ "configNTP", configNTP },
{ "configPCNFSD", configPCNFSD },
Index: usr.sbin/sysinstall/install.c
===================================================================
RCS file: /home/ncvs/src/usr.sbin/sysinstall/install.c,v
retrieving revision 1.300
diff -u -r1.300 install.c
--- usr.sbin/sysinstall/install.c 2001/07/17 04:09:50 1.300
+++ usr.sbin/sysinstall/install.c 2001/08/01 03:35:18
@@ -573,6 +573,10 @@
variable_set2("gateway_enable", "YES", 1);
dialog_clear_norefresh();
+ if (!msgNoYes("Do you want to configure inetd and simple internet services?"))
+ configInetd(self);
+
+ dialog_clear_norefresh();
if (!msgNoYes("Do you want to have anonymous FTP access to this machine?"))
configAnonFTP(self);
Index: usr.sbin/sysinstall/menus.c
===================================================================
RCS file: /home/ncvs/src/usr.sbin/sysinstall/menus.c,v
retrieving revision 1.310
diff -u -r1.310 menus.c
--- usr.sbin/sysinstall/menus.c 2001/07/31 21:30:57 1.310
+++ usr.sbin/sysinstall/menus.c 2001/08/01 03:35:53
@@ -235,6 +235,7 @@
{ " FTP sites", "The FTP mirror site listing.", NULL, dmenuSubmenu, NULL, &MenuMediaFTP },
{ " Gateway", "Set flag to route packets between interfaces.", dmenuVarCheck, dmenuToggleVariable, NULL, "gateway=YES" },
{ " HTML Docs", "The HTML documentation menu", NULL, docBrowser },
+ { " inetd Configuration", "Configure inetd and simple internet services.", dmenuVarCheck, configInetd, NULL, "inetd_enable=YES" },
{ " Install, Standard", "A standard system installation.", NULL, installStandard },
{ " Install, Express", "An express system installation.", NULL, installExpress },
{ " Install, Custom", "The custom installation menu", NULL, dmenuSubmenu, NULL, &MenuInstallCustom },
@@ -1332,7 +1333,7 @@
{ " Gateway", "This machine will route packets between interfaces",
dmenuVarCheck, dmenuToggleVariable, NULL, "gateway_enable=YES" },
{ " inetd", "This machine wants to run the inet daemon",
- dmenuVarCheck, dmenuToggleVariable, NULL, "inetd_enable=YES" },
+ dmenuVarCheck, configInetd, NULL, "inetd_enable=YES" },
{ " NFS client", "This machine will be an NFS client",
dmenuVarCheck, dmenuToggleVariable, NULL, "nfs_client_enable=YES" },
{ " NFS server", "This machine will be an NFS server",
Index: usr.sbin/sysinstall/sysinstall.h
===================================================================
RCS file: /home/ncvs/src/usr.sbin/sysinstall/sysinstall.h,v
retrieving revision 1.209
diff -u -r1.209 sysinstall.h
--- usr.sbin/sysinstall/sysinstall.h 2001/07/17 04:09:50 1.209
+++ usr.sbin/sysinstall/sysinstall.h 2001/08/01 03:36:06
@@ -447,6 +447,7 @@
extern int configXDesktop(dialogMenuItem *self);
extern int configRouter(dialogMenuItem *self);
extern int configPCNFSD(dialogMenuItem *self);
+extern int configInetd(dialogMenuItem *self);
extern int configNFSServer(dialogMenuItem *self);
extern int configWriteRC_conf(dialogMenuItem *self);
extern int configSecurityProfile(dialogMenuItem *self);
Index: etc/inetd.conf
===================================================================
RCS file: /home/ncvs/src/etc/inetd.conf,v
retrieving revision 1.48
diff -u -r1.48 inetd.conf
--- etc/inetd.conf 2001/03/30 10:25:40 1.48
+++ etc/inetd.conf 2001/08/01 03:36:10
@@ -2,12 +2,14 @@
#
# Internet server configuration database
#
-# define *both* IPv4 and IPv6 entries for dual-stack support.
+# Define *both* IPv4 and IPv6 entries for dual-stack support.
+# To disable a service, comment it out by prefixing the line with '#'.
+# To enable a service, remove the '#' at the beginning of the line.
#
-ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l
-ftp stream tcp6 nowait root /usr/libexec/ftpd ftpd -l
-telnet stream tcp nowait root /usr/libexec/telnetd telnetd
-telnet stream tcp6 nowait root /usr/libexec/telnetd telnetd
+#ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l
+#ftp stream tcp6 nowait root /usr/libexec/ftpd ftpd -l
+#telnet stream tcp nowait root /usr/libexec/telnetd telnetd
+#telnet stream tcp6 nowait root /usr/libexec/telnetd telnetd
#shell stream tcp nowait root /usr/libexec/rshd rshd
#shell stream tcp6 nowait root /usr/libexec/rshd rshd
#login stream tcp nowait root /usr/libexec/rlogind rlogind
@@ -17,10 +19,13 @@
#exec stream tcp nowait root /usr/libexec/rexecd rexecd
#uucpd stream tcp nowait root /usr/libexec/uucpd uucpd
#nntp stream tcp nowait usenet /usr/libexec/nntpd nntpd
+#
# run comsat as root to be able to print partial mailbox contents w/ biff,
# or use the safer tty:tty to just print that new mail has been received.
-comsat dgram udp wait tty:tty /usr/libexec/comsat comsat
-ntalk dgram udp wait tty:tty /usr/libexec/ntalkd ntalkd
+#comsat dgram udp wait tty:tty /usr/libexec/comsat comsat
+#
+# ntalk is required for the 'talk' utility to work correctly
+#ntalk dgram udp wait tty:tty /usr/libexec/ntalkd ntalkd
#tftp dgram udp wait nobody /usr/libexec/tftpd tftpd /tftpboot
#bootps dgram udp wait root /usr/libexec/bootpd bootpd
#
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1010731233839.54921B-200000>