From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.9+) Gecko/20020319 Description of problem: By default, fam is enabled through xinetd, and according to man page in this case fam ignores the local_only configuration flag. This is dangerous for machines connected publicly, since this opens a new venue of attack to machines. The default case should be restricted, especially in this case since there is no realistic need for average (non-power-user) to access fam from non-local machine. "lsof -i" on fam: fam 1426 root 0u IPv4 1128 TCP localhost.localdomain:1025 (LISTEN) fam 1426 root 1u IPv4 1128 TCP localhost.localdomain:1025 (LISTEN) fam 1426 root 2u IPv4 1128 TCP localhost.localdomain:1025 (LISTEN) Note: It is not enough that "there is no known security bugs in fam." One must consider the risk of each open port and program, and weigh them against risks. In this case fam is clearly not needed in the default case to be open to world, so it being accessible from other than local machine adds unnecessary risk to the whole installation. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: Default install. Additional info:
The default fam xinetd file binds to 127.0.0.1 only. This is only reachable from the machine itself, and is not open to the world.