Bug 61660 - Too open permissions and connectivity in default setup
Summary: Too open permissions and connectivity in default setup
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: fam
Version: 7.2
Hardware: All
OS: Linux
medium
low
Target Milestone: ---
Assignee: Alexander Larsson
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2002-03-22 18:37 UTC by Santeri Paavolainen
Modified: 2008-05-01 15:38 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2002-03-22 18:37:46 UTC
Embargoed:


Attachments (Terms of Use)

Description Santeri Paavolainen 2002-03-22 18:37:42 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.9+) Gecko/20020319

Description of problem:
By default, fam is enabled through xinetd, and according to man page in this
case fam ignores the local_only configuration flag.

This is dangerous for machines connected publicly, since this opens a new venue
of attack to machines. The default case should be restricted, especially in this
case since there is no realistic need for average (non-power-user) to access fam
from non-local machine.

"lsof -i" on fam:

fam        1426   root    0u  IPv4   1128       TCP localhost.localdomain:1025
(LISTEN)
fam        1426   root    1u  IPv4   1128       TCP localhost.localdomain:1025
(LISTEN)
fam        1426   root    2u  IPv4   1128       TCP localhost.localdomain:1025
(LISTEN)


Note: It is not enough that "there is no known security bugs in fam." One must
consider the risk of each open port and program, and weigh them against risks.
In this case fam is clearly not needed in the default case to be open to world,
so it being accessible from other than local machine adds unnecessary risk to
the whole installation.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
Default install.

Additional info:

Comment 1 Alexander Larsson 2002-03-22 23:02:53 UTC
The default fam xinetd file binds to 127.0.0.1 only. This is only reachable from
the machine itself, and is not open to the world.



Note You need to log in before you can comment on or make changes to this bug.