Pros and Cons of running under inetd....

Derek Ragona derek at computinginnovations.com
Sat May 13 03:55:15 PDT 2006 

I did not give any more information about the security hole as I don't 
recall the exact exploit.  However from my bad memory it was something that 
inet can inadvertently run an application which can easily get root 
privileges.  Inet itself runs as root.  If you want the real details, as I 
previously said, you can look it up in the security archives on the FreeBSD 
lists or in SANS postings at sans.org.

         -Derek


At 08:35 PM 5/12/2006, wc_fbsd at xxiii.com wrote:
>At 08:42 PM 5/12/2006, Eric Schuele wrote:
>>You say tcpwrappers are compiled into ftpd?  Are you sure?  How can I 
>>"enable" or otherwise use them?  If I add things to hosts.allow they seem 
>>to have no influence.  This would solve my problem as I would not need inetd.
>
>My Bad.  It seems it does not.  It's running from inetd on the box I 
>regularly edit hosts.allow on.
>
>The performance benefit inetd once offered -- not having a lot of 
>background process for seldom used services -- is not a big deal 
>today.  But security-wise, spawning other programs that would just be 
>directly listening on a port otherwise doesn't seem terribly 
>insecure.  Could it even be argued beneficial? -- you have a single, 
>simple piece of code accepting the initial connections, instead of 20 
>processes doing the same thing with 20 different pieces of code, any one 
>of which could have an exploit.  If an exploit was conceived that could 
>take advantage lots of programs listening on any old socket, it seems the 
>vulnerability would be lessened, or at least easier to fix.
>
>I don't claim to be an expert security guy or OS programmer, but so far I 
>haven't heard an explanation besides "don't do that".
>
>    -Wayne
>_______________________________________________
>freebsd-questions at freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>
>--
>This message has been scanned for viruses and
>dangerous content by MailScanner, and is
>believed to be clean.
>MailScanner thanks transtec Computers for their support.
>

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.

More information about the freebsd-questions mailing list