Bug 61660 - Too open permissions and connectivity in default setup
Too open permissions and connectivity in default setup
Status: CLOSED NOTABUG
Product: Red Hat Linux
Classification: Retired
Component: fam (Show other bugs)
7.2
All Linux
medium Severity low
: ---
: ---
Assigned To: Alexander Larsson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2002-03-22 13:37 EST by Santeri Paavolainen
Modified: 2008-05-01 11:38 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2002-03-22 13:37:46 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Santeri Paavolainen 2002-03-22 13:37:42 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.9+) Gecko/20020319

Description of problem:
By default, fam is enabled through xinetd, and according to man page in this
case fam ignores the local_only configuration flag.

This is dangerous for machines connected publicly, since this opens a new venue
of attack to machines. The default case should be restricted, especially in this
case since there is no realistic need for average (non-power-user) to access fam
from non-local machine.

"lsof -i" on fam:

fam        1426   root    0u  IPv4   1128       TCP localhost.localdomain:1025
(LISTEN)
fam        1426   root    1u  IPv4   1128       TCP localhost.localdomain:1025
(LISTEN)
fam        1426   root    2u  IPv4   1128       TCP localhost.localdomain:1025
(LISTEN)


Note: It is not enough that "there is no known security bugs in fam." One must
consider the risk of each open port and program, and weigh them against risks.
In this case fam is clearly not needed in the default case to be open to world,
so it being accessible from other than local machine adds unnecessary risk to
the whole installation.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
Default install.

Additional info:
Comment 1 Alexander Larsson 2002-03-22 18:02:53 EST
The default fam xinetd file binds to 127.0.0.1 only. This is only reachable from
the machine itself, and is not open to the world.

Note You need to log in before you can comment on or make changes to this bug.