First Last Prev Next    This bug is not in your last search results.
Bug 122615 - cyrus-imapd is active by default; it shouldn't be
cyrus-imapd is active by default; it shouldn't be
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: cyrus-imapd (Show other bugs)
rawhide
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: John Dennis
Brian Brock
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-05-06 07:50 EDT by Barry K. Nathan
Modified: 2007-11-30 17:10 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-05-11 07:56:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Barry K. Nathan 2004-05-06 07:50:55 EDT 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040504

Description of problem:
By default, server daemons in Fedora Core tend to not start up unless
chkconfig or the equivalent has been used to change that. (Look at
dhcpd, named, mysqld, httpd, innd, so on and so forth.) Even those
that do start up are configured to listen only to local connections by
default (look at sendmail for instance).

However, cyrus-imapd, as currently packaged, does not comply to this.
Instead it starts up by default. This is especially odd since another
IMAP server, dovecot, is also packaged in Fedora Core 2 but does not
show this behavior (it is not enabled by default).

IMO it would be more consistent and more secure for cyrus-imapd to be
configured like other packages. (Yes, the firewall mitigates this in
the typical case, but defense in depth is good IMO.)

Version-Release number of selected component (if applicable):
cyrus-imapd-2.2.3-8

How reproducible:
Always

Steps to Reproduce:
1. Perform an "Everything" install.
2. Reboot into the installed system and (if needed for step 3) become
root.
3. Use "ntsysv" or other methods to see which daemons are activated by
default and which ones are not.
4. While you're at it, try temporarily disabling the firewall and nmap
this host from a different host.
    

Actual Results:  As described above, cyrus-imapd is active by default.
Also, look at this list of ports from nmap:

Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-05-06
04:50 PDT
Interesting ports on 192.168.0.63:
(The 1651 ports scanned but not shown below are in state: closed)
PORT      STATE SERVICE
22/tcp    open  ssh
110/tcp   open  pop3
111/tcp   open  rpcbind
143/tcp   open  imap
993/tcp   open  imaps
995/tcp   open  pop3s
2000/tcp  open  callbook
32770/tcp open  sometimes-rpc3

Ports 110, 143, 993, 995 and 2000 are *all* being used by cyrus-imapd.
That's over *half* of the open ports on the machine!

Expected Results:  I expected ports 110, 143, 993, 995 and 2000 to be
closed or at least only lisntening locally, and I expected cyrus-imapd
to not be active by default.

Additional info:

In Fedora Core 1, an Everything install offers pretty reasonable
security out-of-the-box, even in situations where the firewall has to
be disabled for one reason or another. I would *hate* anything that
threatens to bring us back to the days where an Everything install is
a security disaster waiting to happen. I *really* want to see this
fixed before Fedora Core 2 release!
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.