Subject: HylaFAX security advisory and config changes
To: None <>
From: Hauke Fath <hauke@Espresso.Rhein-Neckar.DE>
List: tech-pkg
Date: 06/29/2002 13:42:34

the freshly installed 'audit-packages' gives me a warning


Running /etc/security.local:
Package hylafax-4.1nb3 has a local-root-shell vulnerability, see


which is obsolete since the changes that

refer to are present in the current package. Can somebody please update the
list of vulnerabilities accordingly?

And while I'm at it:

1) I'd prefer to see HylaFAX run under its own userid instead of 'uucp'. On
machines that actually run UUCP (like mine) two sets of daemons with
different work sets are running under the same uid just because they
(potentially) share a tty.

2) The comms/hylafax package currently runs the hfaxd daemon standalone.
Small sites that send five faxes a day may be better off with running hfaxd
from inetd. After the following change, rc.d/hylafax does not start hfaxd
if an entry for it is present in /etc/inetd.conf:


--- rc.d/hylafax        Sun Jun 23 22:58:48 2002
+++ /usr/pkg/etc/rc.d/hylafax   Wed Jun 26 22:21:34 2002
@@ -10,9 +10,12 @@
 case ${command} in
        if [ -x /usr/pkg/libexec/hfaxd -a -f /var/spool/hylafax/etc/config
] ; then
-           echo -n 'Starting hfaxd'
-           /usr/pkg/libexec/hfaxd -i 4559 -o 4557 -s 444
+           echo -n 'Starting'
+           # start hfaxd standalone if not run by inetd
+           if `egrep '^[^#]+hfaxd.+$' /etc/inetd.conf >/dev/null 2>&1`; then
+               echo -n ' hfaxd'
+               /usr/pkg/libexec/hfaxd -i 4559 -o 4557 -s 444
+           fi
            echo ' faxq.'



/~\  The ASCII Ribbon Campaign       "They that can give up essential liberty
\ /    No HTML/RTF in email          to obtain a little temporary safety
 X     No Word docs in email         deserve neither liberty nor safety."
/ \  Respect for open standards                    -- Benjamin Franklin, 1759