Bug 133683 - /etc/services should be marked config(noreplace)
Summary: /etc/services should be marked config(noreplace)
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: setup (Show other bugs)
(Show other bugs)
Version: rawhide
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Rik van Riel
QA Contact: David Lawrence
URL:
Whiteboard:
Keywords: EasyFix
Depends On: 171906
Blocks: FC3Target FC3BugWeekTracker
TreeView+ depends on / blocked
 
Reported: 2004-09-26 08:35 UTC by Nicolas Mailhot
Modified: 2007-11-30 22:10 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-01-31 10:56:42 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Nicolas Mailhot 2004-09-26 08:35:55 UTC
Description of problem:

Right now when /etc/services is updated it will replace the old
version. This is a security problem since it may disable iptables the
next time it is launched if the firewall configuration uses ports the
user added manually to the local section.

Since iptables is not checked when services is updated the failure can
occur much later. People do not allways stay before the boot screen to
check no service failed (and since the system will usually behave the
same without iptables the problem might not be identified till the
system is rooted)

Comment 1 Rik van Riel 2004-09-27 16:30:22 UTC
Taking as part of bugweek.

Comment 2 Rik van Riel 2004-09-27 16:32:39 UTC
Fixed in setup-2.5.34-2

Comment 3 Owen Taylor 2004-09-27 16:35:42 UTC
Of course, this means that now if you edit /etc/services, packages
may not work correctly. Really need an /etc/services.d/ or something
to avoid people having to edit a file that needs to be automatically
updated.



Comment 4 Rik van Riel 2004-09-27 16:38:57 UTC
Agreed, in the long run we'll need something like you propose.

Comment 5 Josh Bressers 2004-12-07 20:54:29 UTC
I'm removing the security severity of this issue.  This should no
longer be a security issue.

Comment 6 Nicolas Mailhot 2004-12-07 21:37:36 UTC
Do you mean iptables no longuer silently stops at startup if one of
its rules uses a port that was undeclared by an /etc/services update ?

That's why the bug was declared security severity

Comment 7 Marius Andreiana 2005-08-20 06:27:57 UTC
Changing to ASSIGNED. Rick, can you confirm Nicolas question?

Nicolas, would you please file an enhancement request with Owen's proposal?
Thanks

Comment 8 Nicolas Mailhot 2005-09-02 14:10:59 UTC
Will do

Comment 9 Phil Knirsch 2006-01-31 10:56:42 UTC
As the new setup package now contains nearly the complete official IANA list i
think we can safely close this bug as RAWHIDE.

If there are any more services missing they are unofficial and need to be added
manually from a sysadmin now then anyway.

Read ya, Phil


Note You need to log in before you can comment on or make changes to this bug.