Red Hat Bugzilla – Bug 61660
Too open permissions and connectivity in default setup
Last modified: 2008-05-01 11:38:01 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.9+) Gecko/20020319
Description of problem:
By default, fam is enabled through xinetd, and according to man page in this
case fam ignores the local_only configuration flag.
This is dangerous for machines connected publicly, since this opens a new venue
of attack to machines. The default case should be restricted, especially in this
case since there is no realistic need for average (non-power-user) to access fam
from non-local machine.
"lsof -i" on fam:
fam 1426 root 0u IPv4 1128 TCP localhost.localdomain:1025
fam 1426 root 1u IPv4 1128 TCP localhost.localdomain:1025
fam 1426 root 2u IPv4 1128 TCP localhost.localdomain:1025
Note: It is not enough that "there is no known security bugs in fam." One must
consider the risk of each open port and program, and weigh them against risks.
In this case fam is clearly not needed in the default case to be open to world,
so it being accessible from other than local machine adds unnecessary risk to
the whole installation.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
The default fam xinetd file binds to 127.0.0.1 only. This is only reachable from
the machine itself, and is not open to the world.