Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 61660

Summary: Too open permissions and connectivity in default setup
Product: [Retired] Red Hat Linux Reporter: Santeri Paavolainen <santtu>
Component: famAssignee: Alexander Larsson <alexl>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: medium    
Version: 7.2   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2002-03-22 18:37:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Santeri Paavolainen 2002-03-22 18:37:42 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.9+) Gecko/20020319

Description of problem:
By default, fam is enabled through xinetd, and according to man page in this
case fam ignores the local_only configuration flag.

This is dangerous for machines connected publicly, since this opens a new venue
of attack to machines. The default case should be restricted, especially in this
case since there is no realistic need for average (non-power-user) to access fam
from non-local machine.

"lsof -i" on fam:

fam        1426   root    0u  IPv4   1128       TCP localhost.localdomain:1025
(LISTEN)
fam        1426   root    1u  IPv4   1128       TCP localhost.localdomain:1025
(LISTEN)
fam        1426   root    2u  IPv4   1128       TCP localhost.localdomain:1025
(LISTEN)


Note: It is not enough that "there is no known security bugs in fam." One must
consider the risk of each open port and program, and weigh them against risks.
In this case fam is clearly not needed in the default case to be open to world,
so it being accessible from other than local machine adds unnecessary risk to
the whole installation.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
Default install.

Additional info:
Comment 1 Alexander Larsson 2002-03-22 23:02:53 UTC 
The default fam xinetd file binds to 127.0.0.1 only. This is only reachable from
the machine itself, and is not open to the world.