Hide Forgot
Hi, Please see the summary line. I think the RECORD option should be removed from the default config; it is a security risk. As well as being a risk, it also brings very little benefit to an installation, as it only kicks in when the target service cannot be launched! The reasons for this being a security risk are: - Lots of parsing/logging of malicious remote supplied data (usernames, commands, etc). - In the case of "rexec", a 1-byte overflow (xinetd author informed) - Dangerous "connect back" facility, which mixed in with a bit of spoofing, can allow a malicious remote to force a host to make connections to privileged ports from privileged ports.
Done, in xinetd-2.1.8.9pre13-4
However, removing the RECORD option generates the following error message: Jan 21 05:29:38 test1 xinetd: xinetd shutdown succeeded Jan 21 05:29:38 test1 xinetd[6231]: Bad log-on_failure flag: PID [line=11] This is in beta2. I have no objections to removing the RECORD option but in xinetd-2.1.8.9pre13-5 the settings are: log_on_success = HOST PID log_on_failure = HOST PID and that craps out with the error message above.
Sorry I guess I need to be more exact. By crapping out I mean it generates the noted error message and continues.
Fixed in xinetd-2.1.8.9pre14-3
*** Bug 28049 has been marked as a duplicate of this bug. ***