don't enable services by default in inetd

Message-ID: <email address hidden>
Date: Thu, 22 Jul 2004 23:42:33 +0200
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <email address hidden>
To: <email address hidden>
Subject: Installation report for Compaq Proliant DL360

--r5Pyd7+fXNt84Ff3
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: installation-reports

Debian-installer-version: 2004-06-14
uname -a:=20
Linux germinus01 2.4.26-1-386 #1 Fri Jul 9 21:05:06 JST 2004 i686 GNU/Linux
Date: 2004-06-16 10:00=20
Method:=20
Installed from CD image (full netinst, 110Mbs). Booted off the CD-ROM
and then apt-get updated from spanish mirror through a proxy.

Machine: Compaq Proliant DL360

Processor:
/proc/cpuinfo
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 11
model name : Intel(R) Pentium(R) III CPU family 1400MHz
stepping : 1
cpu MHz : 1396.496
cache size : 512 KB
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 2
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat =
pse36 mmx fxsr sse
bogomips : 2785.28

Memory:
/proc/meminfo
total: used: free: shared: buffers: cached:
Mem: 927109120 91734016 835375104 0 10862592 53714944
Swap: 509681664 0 509681664
MemTotal: 905380 kB
MemFree: 815796 kB
MemShared: 0 kB
Buffers: 10608 kB
Cached: 52456 kB
SwapCached: 0 kB
Active: 35568 kB
Inactive: 37224 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 905380 kB
LowFree: 815796 kB
SwapTotal: 497736 kB
SwapFree: 497736 kB

Root Device: SCSI hard drive
Root Size/partition table:=20
----------------------------------------------------------------------
Partitions:
Disk /dev/cciss/c0d0: 72.8 GB, 72833679360 bytes
255 heads, 32 sectors/track, 17433 cylinders
Units =3D cylinders of 8160 * 512 =3D 4177920 bytes

           Device Boot Start End Blocks Id System
/dev/cciss/c0d0p1 * 1 36 146864 83 Linux
/dev/cciss/c0d0p2 37 17433 70979760 f W95 Ext'd (=
LBA)
/dev/cciss/c0d0p5 37 1233 4883744 83 Linux
/dev/cciss/c0d0p6 1234 1951 2929424 83 Linux
/dev/cciss/c0d0p7 1952 2047 391664 83 Linux
/dev/cciss/c0d0p8 2048 17311 62277104 83 Linux
/dev/cciss/c0d0p9 17312 17433 497744 82 Linux swap

/proc/partitions

major minor #blocks name rio rmerge rsect ruse wio wmerge wsect wuse =
running use aveq

   3 0 113668 hda 902 195 4382 31270 0 0 0 0 -68 884610 42270745
 104 0 71126640 cciss/disc0/disc 6732 29827 100130 8780 3023 9145 595=
10 142590 0 22690 151370
 104 1 146864 cciss/disc0/part1 5387 26399 63572 4130 1025 4151 104=
24 44820 0 12570 48950
 104 2 1 cciss/disc0/part2 0 0 0 0 0 0 0 0 0 0 0
 104 5 4883744 cciss/disc0/part5 937 1994 23082 2490 568 1144 13744 =
40290 0 10370 42780
 104 6 2929424 cciss/disc0/part6 354 1326 13074 1950 1204 2889...

Message-ID: <email address hidden>
Date: Fri, 23 Jul 2004 06:50:20 +0200
From: Christian Perrier <email address hidden>
To: Javier =?iso-8859-15?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <email address hidden>, <email address hidden>
Subject: Re: Bug#260934: Installation report for Compaq Proliant DL360

> The only relevant issue was the boot loader. Grub failed to install
> for an unknown reason (checked the logs in the tty as well as 'dmesg'
> result to no avail). I settled for LILO which installed just fine in
> the first attempt.

This has been a problem during a few days recently. I guess you
probably went on one of these images.

If possible, can you try again with amore recent image=A0? Otherwise, I
suggest the bug is closed as it is highly likely to be already
obsolete.

Message-ID: <email address hidden>
Date: Fri, 23 Jul 2004 08:30:06 +0200
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <email address hidden>
To: Christian Perrier <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#260934: Installation report for Compaq Proliant DL360

--VS++wcV0S1rZb1Fb
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Jul 23, 2004 at 06:50:20AM +0200, Christian Perrier wrote:
>=20
> If possible, can you try again with amore recent image=A0? Otherwise, I
> suggest the bug is closed as it is highly likely to be already
> obsolete.

Unfortunately I can't, the system is no longer available to me. In any=20
case, I made some other points in the bug (proposed updates availability?)=
=20
which might be worth reviewing (or not).

Regards

Javier

--VS++wcV0S1rZb1Fb
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBALBui4sehJTrj0oRAtctAJ9TKRv3tRLGvL3KDQx0F27MBSQ0XgCeIIbs
xoh67WbTMvMMbMP4QWyvRGE=
=7xpN
-----END PGP SIGNATURE-----

--VS++wcV0S1rZb1Fb--

Message-Id: <email address hidden>
Date: Wed, 28 Jul 2004 23:16:59 +0200
From: Frederik Dannemare <email address hidden>
To: <email address hidden>,
 "Javier =?iso-8859-1?q?Fern=E1ndez-Sanguino?= =?iso-8859-1?q?_Pe=F1a?=" <email address hidden>,
 <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#260934: Installation report for Compaq Proliant DL360

=2D----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

clone 260934 -1
reassign -1 netkit-inetd
retitle -1 don't enable services by default in inetd
severity -1 serious
tags -1 d-i
thanks

On Thursday 22 July 2004 23:42, Javier Fern=E1ndez-Sanguino Pe=F1a wrote:
[ snip ]
>
> After the installation I was also glad to find that the only real
> server installed in the system was exim (and since I did local config
> only it was only configured to listen on 127.0.0.1). However, the
> default inetd.conf (daytime, time and discard active) was not what I
> expected. I would rather have all the 'small' tcp/udp services
> disabled per default, they are really not needed at all in most
> installations (unless one wants a 'standard' unix server)

I totally agree. It is simply unnecessary to run these network services=20
by default. Very few need them. I have been wanting to file a report=20
about it myself for some time, but hadn't gotten around to do it. Now I=20
have cloned off your report to inform the inetd maintainers. They=20
should *really* fix this before sarge freezes!

Thanks,
=2D --=20
=46rederik Dannemare | mailto:<email address hidden>
GnuPG key: search for 'dannemare' on http://pgpkeys.mit.edu
Key fingerprint: BB7B 078A 0DBF 7663 180A F84A 2D25 FAD5 9C4E B5A8
http://frederik.dannemare.net | http://www.linuxworlddomination.dk
=2D----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBCBfOLSX61ZxOtagRAlnaAJ0fZA9yanXTPR8qb86M+PDLTMBd0wCeMclW
AxnNf4dRVvbxPfQOc2nj0FE=3D
=3DrqP4
=2D----END PGP SIGNATURE-----

Marking as duplicate based on debbugs merge (237535,261906)

This bug has been marked as a duplicate of bug 7192.

Message-Id: <email address hidden>
Date: Wed, 28 Jul 2004 23:31:17 +0200
From: Frederik Dannemare <email address hidden>
To: <email address hidden>
Subject: netkit-inetd not in releaseable state, imo

severity 237535 serious
merge 237535 261906
thanks

not in releaseable state, imo. not until daytime, discard, etc is off by
default. please fix, before sarges freezes.

Message-ID: <email address hidden>
Date: Thu, 29 Jul 2004 02:22:55 +0100
From: Colin Watson <email address hidden>
To: <email address hidden>, <email address hidden>
Cc: Frederik Dannemare <email address hidden>
Subject: not release-critical

severity 261906 normal
thanks

This bug isn't covered by the list of issues meriting a serious bug in
http://release.debian.org/sarge_rc_policy.txt. I don't really buy it
being a security bug either; while it may introduce some small
additional exposure, it doesn't "introduce a security hole on systems
where you install the package", and if that were true then the
vulnerability in inetd should simply be fixed. In general design issues
like this don't merit serious bugs unless the maintainer says so.

I'm therefore setting the severity back to its previous value of normal.
Sorry.

Cheers,

--
Colin Watson [<email address hidden>]

Message-Id: <email address hidden>
Date: Thu, 29 Jul 2004 15:33:22 +1000 (EST)
From: <email address hidden> (Anthony Towns)
To: <email address hidden>
Subject: severity of 261906 is wishlist

severity 261906 wishlist

Message-Id: <email address hidden>
Date: Tue, 3 Aug 2004 13:04:30 +0200
From: Frederik Dannemare <email address hidden>
To: Colin Watson <email address hidden>
Cc: <email address hidden>
Subject: Re: not release-critical

=2D----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thursday 29 July 2004 03:22, Colin Watson wrote:
> severity 261906 normal
> thanks
>
> This bug isn't covered by the list of issues meriting a serious bug
> in http://release.debian.org/sarge_rc_policy.txt. I don't really buy
> it being a security bug either; while it may introduce some small
> additional exposure, it doesn't "introduce a security hole on systems
> where you install the package", and if that were true then the
> vulnerability in inetd should simply be fixed.=20

We would have to wait a day or two (or more) for a fix (and in the=20
meantime be sitting ducks). If the services, on the other hand, had=20
just been disabled by default on new installs, noone would have to=20
worry at all (well, I wouldn't worry because these services go out the=20
window (along with portmap and nfs-common (on woody) on my systems=20
seconds after an install).

> In general design=20
> issues like this don't merit serious bugs unless the maintainer says
> so.
>
> I'm therefore setting the severity back to its previous value of
> normal. Sorry.

Severity has now been set to wishlist by Anthony. I think this is wrong.=20
At least he could spend 1 minute justifying why exactly he thinks it=20
better to leave those ports open by default.=20

I saw a thread posted some time ago (on -devel, I think), where it was=20
argued that it was okay for these ports to be open, because there had=20
been no vuln. against these services ever (or at least for a very long=20
time). How can this be an excuse for just leaving ports open by default=20
on a system?

B/R,
=2D --=20
=46rederik Dannemare | mailto:<email address hidden>
GnuPG key: search for 'dannemare' on http://pgpkeys.mit.edu
Key fingerprint: BB7B 078A 0DBF 7663 180A F84A 2D25 FAD5 9C4E B5A8
http://frederik.dannemare.net | http://www.linuxworlddomination.dk
=2D----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBD3FALSX61ZxOtagRAuayAJ497rlaZi+B4WMvVvz9z7gqRheglQCdEECD
KeMz8+9UcqSQYKO5wEf/OPg=3D
=3DrNbI
=2D----END PGP SIGNATURE-----

Message-Id: <email address hidden>
Date: Sun, 24 Oct 2004 12:17:06 -0400
From: Anthony Towns <email address hidden>
To: <email address hidden>
Subject: Bug#237535: fixed in netkit-base 0.10-10

Source: netkit-base
Source-Version: 0.10-10

We believe that the bug you reported is fixed in the latest version of
netkit-base, which is due to be installed in the Debian FTP archive:

netkit-base_0.10-10.diff.gz
  to pool/main/n/netkit-base/netkit-base_0.10-10.diff.gz
netkit-base_0.10-10.dsc
  to pool/main/n/netkit-base/netkit-base_0.10-10.dsc
netkit-inetd_0.10-10_powerpc.deb
  to pool/main/n/netkit-base/netkit-inetd_0.10-10_powerpc.deb
netkit-ping_0.10-10_powerpc.deb
  to pool/main/n/netkit-base/netkit-ping_0.10-10_powerpc.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Anthony Towns <email address hidden> (supplier of updated netkit-base package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----

Format: 1.7
Date: Mon, 25 Oct 2004 01:53:56 +1000
Source: netkit-base
Binary: netkit-inetd netkit-ping
Architecture: source powerpc
Version: 0.10-10
Distribution: unstable
Urgency: high
Maintainer: Anthony Towns <email address hidden>
Changed-By: Anthony Towns <email address hidden>
Description:
 netkit-inetd - The Internet Superserver
 netkit-ping - The ping utility from netkit
Closes: 237535 261906 275585
Changes:
 netkit-base (0.10-10) unstable; urgency=high
 .
   * The "POSIX got it right, dammit." release.
 .
   * Use non-blocking sockets for UDP built-ins, because Linux's select()
     semantics are broken, but fast. Thanks to Colin Phipps for the
     fix. (Closes: Bug#275585)
   * Don't enable any built-in services by default. (Closes: Bug#237535,
     Bug#261906)
Files:
 aa24d78d3c0a5963b76577ad752e3518 696 net standard netkit-base_0.10-10.dsc
 e22a450e0a422825e08b69a0658c9edd 10607 net standard netkit-base_0.10-10.diff.gz
 c101f59f8953395cc8bea2823d32540a 29868 net standard netkit-inetd_0.10-10_powerpc.deb
 5f249e69ac9724e5f3e8cabcf3a44b1e 19434 net standard netkit-ping_0.10-10_powerpc.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iQCVAwUBQXvUdORRvX9xctrtAQEOYwP7B4thqdlAMj2ujGvurtQe3GECF9UAe/rJ
w8kLxUDkeesWhLIG4723tJxDhEIvH/OtE4nHgj4aYxKh4EaDv05Hcv9bNy+535/F
eassT3UVqBnPeVKVuZqFQith+Em/eRo+jo6CfAMUOIVVOjLFVvaW3XZGqsTDUkd9
/9Wj052bQek=
=ZDuA
-----END PGP SIGNATURE-----

Message-Id: <email address hidden>
Date: Sun, 24 Oct 2004 12:17:06 -0400
From: Anthony Towns <email address hidden>
To: <email address hidden>
Subject: Bug#261906: fixed in netkit-base 0.10-10

Source: netkit-base
Source-Version: 0.10-10

We believe that the bug you reported is fixed in the latest version of
netkit-base, which is due to be installed in the Debian FTP archive:

netkit-base_0.10-10.diff.gz
  to pool/main/n/netkit-base/netkit-base_0.10-10.diff.gz
netkit-base_0.10-10.dsc
  to pool/main/n/netkit-base/netkit-base_0.10-10.dsc
netkit-inetd_0.10-10_powerpc.deb
  to pool/main/n/netkit-base/netkit-inetd_0.10-10_powerpc.deb
netkit-ping_0.10-10_powerpc.deb
  to pool/main/n/netkit-base/netkit-ping_0.10-10_powerpc.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Anthony Towns <email address hidden> (supplier of updated netkit-base package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----

Format: 1.7
Date: Mon, 25 Oct 2004 01:53:56 +1000
Source: netkit-base
Binary: netkit-inetd netkit-ping
Architecture: source powerpc
Version: 0.10-10
Distribution: unstable
Urgency: high
Maintainer: Anthony Towns <email address hidden>
Changed-By: Anthony Towns <email address hidden>
Description:
 netkit-inetd - The Internet Superserver
 netkit-ping - The ping utility from netkit
Closes: 237535 261906 275585
Changes:
 netkit-base (0.10-10) unstable; urgency=high
 .
   * The "POSIX got it right, dammit." release.
 .
   * Use non-blocking sockets for UDP built-ins, because Linux's select()
     semantics are broken, but fast. Thanks to Colin Phipps for the
     fix. (Closes: Bug#275585)
   * Don't enable any built-in services by default. (Closes: Bug#237535,
     Bug#261906)
Files:
 aa24d78d3c0a5963b76577ad752e3518 696 net standard netkit-base_0.10-10.dsc
 e22a450e0a422825e08b69a0658c9edd 10607 net standard netkit-base_0.10-10.diff.gz
 c101f59f8953395cc8bea2823d32540a 29868 net standard netkit-inetd_0.10-10_powerpc.deb
 5f249e69ac9724e5f3e8cabcf3a44b1e 19434 net standard netkit-ping_0.10-10_powerpc.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iQCVAwUBQXvUdORRvX9xctrtAQEOYwP7B4thqdlAMj2ujGvurtQe3GECF9UAe/rJ
w8kLxUDkeesWhLIG4723tJxDhEIvH/OtE4nHgj4aYxKh4EaDv05Hcv9bNy+535/F
eassT3UVqBnPeVKVuZqFQith+Em/eRo+jo6CfAMUOIVVOjLFVvaW3XZGqsTDUkd9
/9Wj052bQek=
=ZDuA
-----END PGP SIGNATURE-----

Message-ID: <email address hidden>
Date: Mon, 25 Oct 2004 00:34:09 +0200
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <email address hidden>
To: <email address hidden>
Subject: Re: Bug#261906 acknowledged by developer (Bug#237535: fixed in netkit-base 0.10-10)

--VbJkn9YxBvnuCH5J
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

> * Use non-blocking sockets for UDP built-ins, because Linux's select()
> semantics are broken, but fast. Thanks to Colin Phipps for the
> fix. (Closes: Bug#275585)
> * Don't enable any built-in services by default. (Closes: Bug#237535,
> Bug#261906)

Hi aj!

I'm quite surprised to see the second bug fixed, since this has been asked
for many times (see #81118) and never happened. Just curious, is because of
the first bug that now the second bug is considered a bigger issue?=20

Thanks for your work!

Javier

--VbJkn9YxBvnuCH5J
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBfC3gi4sehJTrj0oRAi0eAJ0fFQTukKn3st0bY2323KLAEGYoegCg3+3c
DvlF/gchAH6WBYY7+ksCS+I=
=X3Th
-----END PGP SIGNATURE-----

--VbJkn9YxBvnuCH5J--

Message-Id: <email address hidden>
Date: Thu, 4 Nov 2004 12:33:00 -0500
From: Joey Hess <email address hidden>
To: <email address hidden>
Subject: tagging 237535

# Automatically generated email from bts, devscripts version 2.8.5
tags 237535 - d-i