tech-net: Re: inetd.conf [sommerfeld@netbsd.org: CVS commit: basesrc]

Subject: Re: inetd.conf [sommerfeld@netbsd.org: CVS commit: basesrc]
To: Anders Magnusson <ragge@ludd.luth.se>
From: Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>
List: tech-net
Date: 06/06/2000 09:26:56

> I think in that case it is better to have inetd=NO and all normal services
> turned on in inetd.conf. In this case it is much easier to turn everything
> on (as I have for example).

I strongly disagree.

Leaving things turned on in inetd.conf by default is worse than what
we have now from a security standpoint.  Most security compromises
i've seen come from unneeded services (e.g., breakins through imapd on
linux boxes which didn't have any reason to receive mail).

If we did things the way you describe, users needing one service will
start inetd and get everything, and fall victim to a
bug/misconfiguration in a "normal" service they don't need, didn't
know about, and don't care about...

					- Bill