>Number:         1323
>Category:       bin
>Synopsis:       inetd (rc) runs before securelevel is raised!
>Confidential:   no
>Severity:       critical
>Priority:       low
>Responsible:    bin-bug-people (Utility Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Aug  8 21:05:02 1995
>Last-Modified:
>Originator:     John Hawkinson
>Organization:
MIT SIPB
>Release:        -current
>Environment:
System: NetBSD lola-granola 1.0A NetBSD 1.0A (LOLA) #72: Mon Aug 7 11:57:26 EDT 1995 mycroft@lola-granola:/afs/sipb.mit.edu/project/netbsd/dev/current-source/build/i386_nbsd1/sys/arch/i386/compile/LOLA i386


>Description:

	rlogin and telnet and other services are accessible in the window
	between the start of inetd and the end of execution of /etc/rc.
	This means that logins are possible and users can do nasty stuff
	while securelevel is still 0.

>How-To-Repeat:
	Login as remotely (for instance, as root) and do all manner of
	nasty things as soon as a machine comes up.
>Fix:
	I'm really not sure. Perhaps inetd should check securelevel and
	sleep unless invoked with a particular option. Perhaps telnetd and
	rlogind and half-a-zillion other daemons should check securelevel
	before permitting logins?
	??
>Audit-Trail:
>Unformatted: