Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 28 Jul 1998 12:27:42 +0200
From:      sthaug@nethelp.no
To:        andre@pipeline.ch
Cc:        security@FreeBSD.ORG
Subject:   Re: FreeBSD Security How-To (Was: QPopper exploit)
Message-ID:  <13879.901621662@verdi.nethelp.no>
In-Reply-To: Your message of "Tue, 28 Jul 1998 11:20:30 %2B0200"
References:  <35BD97DE.2E242C6E@pipeline.ch>

next in thread | previous in thread | raw e-mail | index | archive | help
> > I do think that the section on eliminating inetd needs some fleshing out,
> > though. Some servers, such as all of the POP3 daemons I've tried, don't
> > seem to admit themselves to being run except from inetd. Also, the section
> > should discuss the dangers of having a server die without any automatic
> > means to resuscitate it. For example, the docs for identd warn against
> > running it without inetd, since if it quits it will not be restarted.
> > Perhaps a utility that checks for the presence of servers and restarts them
> > if they've died could be developed as part of this effort and perhaps added
> > to the FreeBSD distribution.
> 
> There's a nice tool called tcpserver avail from DJB (we all love his
> coding style): ftp://koobera.math.uic.edu/www/ucspi-tcp.html

For those who are interested in high security and in eliminating inetd,
I'd recommend Marcus Ranum's simplified inetd. See the enclosed message.

Steinar Haug, Nethelp consulting, sthaug@nethelp.no
----------------------------------------------------------------------
From: mjr@tis.com (Marcus J. Ranum)
Subject: Re: Frigging inetd!!!!
Date: 26 Oct 1993 19:07:53 GMT

[I added comp.security.unix to the distribution and dropped the
gopher group, since this is really a security rant, and part of
an ongoing rant from comp.security.unix]

>	Why not just get a copy of the source for inetd and rebuild it
>for your system?  Also, there is a new program called xinetd, which
>is supposed to be an augmented inetd that has built in security.  I've
>got the source code, but I have not had much of a chance to play with
>it yet.

	Here I must insert my mandatory rant about "augmentation"
"features" and "security."

	Xinetd has (presumably) a huge number of features. It's also
a relatively huge piece of code. Compare it to the BSD inetd sources:

Program                                     Modules   Lines of Code
-------                                     -------   -------------
inetd, from BSD Net-2                          1          964
xinetd, minus support libraries               36        11801

	For a security critical application like inetd, the last
thing you want is security at the price of 12 times as much code.
Large programs that do security critical things (sendmail, xinetd,
wuarchive-ftpd, Xterm) are traditionally a snakepit of security
holes.

	The idea of "built in security" is contrary to most formal
security practices. The security critical policy sections should
be clearly isolated from the rest of the code that does bookkeeping
or whatever else.

	I enclose below a version of inetd that's 80 lines of code.
The security critical section is clearly visible. More importantly,
the implementation is small enough that when I showed a copy to a
friend, he instantly spotted a bug. It's a lot easier to spot a
bug in a 1 page program, than in an 11,801 line program that is
36+ files in 2 directories. Also, this version of inetd is not
vulnerable to attacks on inetd.conf since it doesn't use one,
and doesn't have any argument limitations on the invoked programs.
It doesn't support UDP services, but then, from a security standpoint,
UDP services make me all nervous anyhow. Note, too, that the code
has only one comment. It's simple enough that it needs no comments.

mjr.
------------------------------
#include	<sys/types.h>
#include	<sys/signal.h>
#include	<sys/socket.h>
#include	<netinet/in.h>
#include	<syslog.h>
#include	<netdb.h>

reap()
{
	int	s;
	while(wait(&s) != -1);
}

main(ac,av)
int	ac;
char	*av[];
{
	struct	sockaddr_in	mya;
	struct	servent		*sp;
	fd_set			muf;
	int			myfd, new, x, maxfd = getdtablesize();

	openlog("inetd",LOG_PID,LOG_DAEMON);
	if(ac < 3) {
		syslog(LOG_ERR,"usage: %s serviceport command [args]",av[0]);
		exit(1);
	}
	signal(SIGCLD,reap);
	if((myfd = socket(AF_INET,SOCK_STREAM,0)) < 0) {
		syslog(LOG_ERR,"socket : %m");
		exit(1);
	}
	mya.sin_family = AF_INET;
	bzero(&mya.sin_addr,sizeof(mya.sin_addr));
	if((sp = getservbyname(av[1],"tcp")) == (struct servent *)0) {
		if(atoi(av[1]) <= 0) {
			syslog(LOG_ERR,"Cannot interpret %s as service",av[1]);
			exit(1);
		}
		mya.sin_port = htons(atoi(av[1]));
	} else
		mya.sin_port = sp->s_port;

	if(bind(myfd,(struct sockaddr *)&mya,sizeof(mya))) {
		syslog(LOG_ERR,"bind: %m");
		exit(1);
	}

	/* END SECURITY CRITICAL CODE */
	/* setuid(4); */

	if(listen(myfd,1) < 0) {
		perror("listen");
		exit(1);
	}

loop:	FD_ZERO(&muf);
	FD_SET(myfd,&muf);
	if(select(myfd + 1,&muf,0,0,0) != 1 || !FD_ISSET(myfd,&muf))
		goto loop;
	if((new = accept(myfd,0,0)) < 0)
		goto loop;
	if(fork() == 0) {
		for(x = 2; x < maxfd; x++)
			if(x != new)
				close(x);
		for(x = 0; x < NSIG; x++)
			signal(x,SIG_DFL);
		dup2(new,0);
		close(new);
		dup2(0,1);
		dup2(0,2);
		execv(av[2],av + 2);
		syslog(LOG_ERR,"exec %s: %m",av[2]);
		exit(1);
	}
	close(new);
	goto loop;
}


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?13879.901621662>