[ITA] inetutils-1.5-1
Charles Wilson
cygwin@cwilson.fastmail.fm
Tue Feb 26 02:44:00 GMT 2008
Corinna Vinschen wrote:
> On Feb 24 22:07, Charles Wilson wrote:
>> I'm tossing my hat in for #3. It's basically a new port, using the
>> previous patches (1.3.2-37 vs. upstream 1.3.2) as a guide, because none of
>> the patches seemed to apply cleanly, and there were other issues as well.
>
> Yippee! Charles, there is no number of gold stars in the known universe
> to express my gratitude :)))
You're welcome.
> For a start, maybe you should change the default motd. I just couldn't
> think of something better way back when, but the message is rather
> boring, isn't it?
OK. I hadn't really given those sorts of things much thought.
> And, maybe it's time to start to be more cautious by default and
> disable all service entries in /etc/defaults/etc/inetd.conf?
You're probably right. Existing users' inetd.confs will not get
overwritten -- but they will have to manually edit them anyway, given
the executable name changes. New users...will have to read the README.
Or perhaps I could make a REALLY smart iu-config
The 'chargen' service is blah blah blah...describe security issues...
Do you want to enable the 'chargen' service? [yes/no]
etc.
What do you think, further, of requiring tcp_wrappers, and having the
default inetd.conf file explicitly use /usr/sbin/tcpd (even if the line
is commented out and entirely disabled)?
> A few minutes ago I found a security problem with rshd.c which I just
> fixed by uploading 1.3.2-40, and which you copied verbatim into the 1.5
> rshd.c:
>
Probably need something similar in rexecd, too. I'll take a look before
posting 1.5-2.
> Since the check if seteuid fails is missing so far, you will run rsh
> commands under the SYSTEM account for every user on 2003 upwards!
Urk. That's bad.
> In -40 I changed the description in inetutils-1.3.2.README substantially
> to explain this problem.
I will track all of your changes as we go forward (you probably saw I
copied in your README verbatim as inetutils.OLD-README).
>> (3) Added a new option to inetd: -T/--traditional-daemon, which does the
>> regular fork/daemonize behavior. This is used with the (also provided)
>> sysvinit-style startup script, so that inetd can be run under the control
>> of the sysvinit package's init daemon. So now, there are THREE ways to run
>> inetd as a service:
>> a) install as a service using cygrunsrv (with the -D option)
>> b) installed as a service under its own power
>> c) as a slave to the init service, using /etc/rc.d/init.d/inetd (which
>> uses the -T option when invoking inetd)
>
> Given the problem with the SYSTEM account, maybe we should deprecate
> usage b.
Well, I kinda wanted to avoid a huge "flag day" thing where stuff just
stopped working for people (well, except for the server executable names
thing).
But I could definitely see "method (b) is supported NT, 2000, and XP
only", encouraging people to use method (a) or (c).
Right now, neither your version nor my version of iu-config actually
installs (or even offers to install) inetd as a service. If the new
iu-config became more like syslogd-config or sshd-host-config, then I
could see it defaulting to method (a).
> Maybe an install script (iu-config?) could do something
> along the lines of the ssh-host-config script.
Hmmm...I've got an idea...cue ominous music...
> I would be willing
> to switch the ssh-host-config script from the "sshd_server" user name
> to something like "cygwin_svc" or so.
How about a new package, "cygwin-services-helper" or somesuch, that contains
(1) a script [*] derived from the appropriate portion of
sshd-host-config, whose job is to create the appropriate priveleged user
(I like 'cygwin_svc') -- unless it already exists under either name
('cygwin_svc' or 'sshd_server').
(2) maybe another script [*] whose job is to ascertain whether such a
user already exists, and return its name (or "" if not).
It would be up to the calling foo-config to use these two scripts
appropriately. And, of course, the user might have to enter the
password for the priveleged user account twice: once when it is created,
and then again (by foo-config) to install the service 'foo'.
Then, openssh (and inetutils, and syslog-ng, and sysvinit, ...) could
all depend on the "cygwin-services-helper" package.
[*] or maybe a script function library somewhere like
/usr/lib/cygwin-services/ that foo-config could 'source', and then call
the functions directly. This would help the "enter the password twice"
problem...
> And maybe the iu-config script
> could re-use the sshd_server user if it already exists...
Right. See above.
BTW, with the new inetd.d/ support, sshd-host-config doesn't have to
edit the inetd.conf file directly. It can have a
/etc/defaults/etc/inetd.d/sshd
file, that it either installs to /etc/inetd.d/ or not. (ditto /etc/xinetd.d)
--
Chuck
More information about the Cygwin-apps
mailing list