Compensate for default disabling of network services in inetd.conf(5)

by providing the opportunity to edit inetd.conf during the system installation process. The following modifications were made: (1) Expand the Anonymous FTP description dialog to indicate that inetd and ftpd must be enabled before it can be used. (2) Introduce a new configInetd() pair of dialogs, the first describing inetd, giving a couple of examples of services that require it, and hinting at potential risk, then asking the user if they wish to enable it. The second indicates that inetd.conf must be configured to enabled specific services, and asks if the user would like to load inetd.conf into the editor to modify it. Add this configuration action to the index. There are some further improvements that might be considered: (1) Provide a more inetd.conf-specific configuration tool that speaks inetd.conf(5). However, this is made difficult by the "yet another configuration format" nature of inetd.conf, as well as its use of commenting to disable services, rather than an in-syntax way to disable a service without commenting it out. Submissions here would probably be welcome. (2) There's some overlap between settings in the somewhat obtuse Security Profile mechanism and other settings, including the inetd setting, and NFS server configuration. As features become individually tunable, they should probably be removed from the security profile mechanism. Otherwise, somewhat counter-intuitively, sysinstall (in practice) queries multiple times whether inetd, nfsd, etc, should be enabled/disabled. A possible future direction might be to drive profiles not by degree of paranoia, rather, the set of services desired. Or simply to remove the Security Profile mechanism and resort to feature-driven configuration. Reviewed by: imp, chris, jake, nate, -arch, -stable
svn path=/head/; revision=81023
2001-08-02 03:25:16 +00:00 · 2001-08-02 03:25:16 +00:00 · 0c09bcb0e8 · 2020-12-20 02:59:44 +00:00
commit 0c09bcb0e8
parent f2419a7154
11 changed files with 95 additions and 2 deletions
--- a/usr.sbin/sade/config.c
+++ b/usr.sbin/sade/config.c
@ -954,6 +954,39 @@ configPCNFSD(dialogMenuItem *self)
    return ret;
 }

+int
+configInetd(dialogMenuItem *self)
+{
+    char cmd[256];
+
+    WINDOW *w = savescr();
+
+    if (msgYesNo("The Internet Super Server (inetd) allows a number of simple Internet\n"
+                 "services to be enabled, including finger, ftp, and telnetd.  Enabling\n"
+                 "these services may increase risk of security problems by increasing\n"
+                 "the exposure of your system.\n\n"
+                 "With this in mind, do you wish to enable inetd?\n")) {
+        variable_set2("inetd_enable", "NO", 1);
+    } else {
+        /* If inetd is enabled, we'll need an inetd.conf */
+
+	if (!msgYesNo("inetd(8) relies on its configuration file, /etc/inetd.conf, to determine\n"
+                   "which of its Internet services will be available.  The default FreeBSD\n"
+                   "inetd.conf(5) leaves all services disabled by default, so they must be\n"
+                   "specifically enabled in the configuration file before they will\n"
+                   "function, even once inetd(8) is enabled.  Note that services for\n"
+		   "IPv6 must be seperately enabled from IPv4 services.\n\n"
+                   "Select [Yes] now to invoke an editor on /etc/inetd.conf, or [No] to\n"
+                   "use the current settings.\n")) {
+            sprintf(cmd, "%s /etc/inetd.conf", variable_get(VAR_EDITOR));
+            dialog_clear();
+            systemExecute(cmd);
+            variable_set2("inetd_enable", "YES", 1);
+	}
+    }
+    restorescr(w);
+}
+
 int
 configNFSServer(dialogMenuItem *self)
 {
--- a/usr.sbin/sade/dispatch.c
+++ b/usr.sbin/sade/dispatch.c
@ -52,6 +52,7 @@ static struct _word {
 } resWords[] = {
    { "configAnonFTP",		configAnonFTP		},
    { "configRouter",		configRouter		},
+    { "configInetd",		configInetd		},
    { "configNFSServer",	configNFSServer		},
    { "configNTP",		configNTP		},
    { "configPCNFSD",		configPCNFSD		},
--- a/usr.sbin/sade/install.c
+++ b/usr.sbin/sade/install.c
@ -572,6 +572,10 @@ installStandard(dialogMenuItem *self)
    if (!msgNoYes("Do you want this machine to function as a network gateway?"))
 	variable_set2("gateway_enable", "YES", 1);

+    dialog_clear_norefresh();
+    if (!msgNoYes("Do you want to configure inetd and simple internet services?"))
+        configInetd(self);
+
    dialog_clear_norefresh();
    if (!msgNoYes("Do you want to have anonymous FTP access to this machine?"))
 	configAnonFTP(self);
--- a/usr.sbin/sade/menus.c
+++ b/usr.sbin/sade/menus.c
@ -235,6 +235,7 @@ DMenu MenuIndex = {
      { " FTP sites",		"The FTP mirror site listing.",		NULL, dmenuSubmenu, NULL, &MenuMediaFTP },
      { " Gateway",		"Set flag to route packets between interfaces.", dmenuVarCheck, dmenuToggleVariable, NULL, "gateway=YES" },
      { " HTML Docs",		"The HTML documentation menu",		NULL, docBrowser },
+      { " inetd Configuration",	"Configure inetd and simple internet services.",	dmenuVarCheck, configInetd, NULL, "inetd_enable=YES" },
      { " Install, Standard",	"A standard system installation.",	NULL, installStandard },
      { " Install, Express",	"An express system installation.",	NULL, installExpress },
      { " Install, Custom",	"The custom installation menu",		NULL, dmenuSubmenu, NULL, &MenuInstallCustom },
@ -1332,7 +1333,7 @@ DMenu MenuNetworking = {
      { " Gateway",	"This machine will route packets between interfaces",
 	dmenuVarCheck,	dmenuToggleVariable, NULL, "gateway_enable=YES" },
      { " inetd",	"This machine wants to run the inet daemon",
-	dmenuVarCheck,	dmenuToggleVariable, NULL, "inetd_enable=YES" },
+	dmenuVarCheck,	configInetd, NULL, "inetd_enable=YES" },
      { " NFS client",	"This machine will be an NFS client",
 	dmenuVarCheck,	dmenuToggleVariable, NULL, "nfs_client_enable=YES" },
      { " NFS server",	"This machine will be an NFS server",
--- a/usr.sbin/sade/sade.h
+++ b/usr.sbin/sade/sade.h
@ -447,6 +447,7 @@ extern int	configXSetup(dialogMenuItem *self);
 extern int	configXDesktop(dialogMenuItem *self);
 extern int	configRouter(dialogMenuItem *self);
 extern int	configPCNFSD(dialogMenuItem *self);
+extern int	configInetd(dialogMenuItem *self);
 extern int	configNFSServer(dialogMenuItem *self);
 extern int	configWriteRC_conf(dialogMenuItem *self);
 extern int	configSecurityProfile(dialogMenuItem *self);
--- a/usr.sbin/sysinstall/anonFTP.c
+++ b/usr.sbin/sysinstall/anonFTP.c
@ -238,6 +238,19 @@ int
 configAnonFTP(dialogMenuItem *self)
 {
    int i;
+
+
+    if (msgYesNo("Anonymous FTP permits un-authenticated users to connect to the system\n"
+		 "FTP server, if FTP service is enabled.  Anonymous users are\n"
+		 "restricted to a specific subset of the file system, and the default\n"
+		 "configuration provides a drop-box incoming directory to which uploads\n"
+		 "are permitted.  You must seperately enable both inetd(8), and enable\n"
+		 "ftpd(8) in inetd.conf(5) for FTP services to be available.  If you\n"
+		 "did not do so earlier, you will have the opportunity to enable inetd(8)\n"
+		 "again later.\n\n"
+		 "Do you wish to continue configuring anonymous FTP?")) {
+	return DITEM_FAILURE;
+    }
    
    /* Be optimistic */
    i = DITEM_SUCCESS;
--- a/usr.sbin/sysinstall/config.c
+++ b/usr.sbin/sysinstall/config.c
@ -954,6 +954,39 @@ configPCNFSD(dialogMenuItem *self)
    return ret;
 }

+int
+configInetd(dialogMenuItem *self)
+{
+    char cmd[256];
+
+    WINDOW *w = savescr();
+
+    if (msgYesNo("The Internet Super Server (inetd) allows a number of simple Internet\n"
+                 "services to be enabled, including finger, ftp, and telnetd.  Enabling\n"
+                 "these services may increase risk of security problems by increasing\n"
+                 "the exposure of your system.\n\n"
+                 "With this in mind, do you wish to enable inetd?\n")) {
+        variable_set2("inetd_enable", "NO", 1);
+    } else {
+        /* If inetd is enabled, we'll need an inetd.conf */
+
+	if (!msgYesNo("inetd(8) relies on its configuration file, /etc/inetd.conf, to determine\n"
+                   "which of its Internet services will be available.  The default FreeBSD\n"
+                   "inetd.conf(5) leaves all services disabled by default, so they must be\n"
+                   "specifically enabled in the configuration file before they will\n"
+                   "function, even once inetd(8) is enabled.  Note that services for\n"
+		   "IPv6 must be seperately enabled from IPv4 services.\n\n"
+                   "Select [Yes] now to invoke an editor on /etc/inetd.conf, or [No] to\n"
+                   "use the current settings.\n")) {
+            sprintf(cmd, "%s /etc/inetd.conf", variable_get(VAR_EDITOR));
+            dialog_clear();
+            systemExecute(cmd);
+            variable_set2("inetd_enable", "YES", 1);
+	}
+    }
+    restorescr(w);
+}
+
 int
 configNFSServer(dialogMenuItem *self)
 {
--- a/usr.sbin/sysinstall/dispatch.c
+++ b/usr.sbin/sysinstall/dispatch.c
@ -52,6 +52,7 @@ static struct _word {
 } resWords[] = {
    { "configAnonFTP",		configAnonFTP		},
    { "configRouter",		configRouter		},
+    { "configInetd",		configInetd		},
    { "configNFSServer",	configNFSServer		},
    { "configNTP",		configNTP		},
    { "configPCNFSD",		configPCNFSD		},
--- a/usr.sbin/sysinstall/install.c
+++ b/usr.sbin/sysinstall/install.c
@ -572,6 +572,10 @@ installStandard(dialogMenuItem *self)
    if (!msgNoYes("Do you want this machine to function as a network gateway?"))
 	variable_set2("gateway_enable", "YES", 1);

+    dialog_clear_norefresh();
+    if (!msgNoYes("Do you want to configure inetd and simple internet services?"))
+        configInetd(self);
+
    dialog_clear_norefresh();
    if (!msgNoYes("Do you want to have anonymous FTP access to this machine?"))
 	configAnonFTP(self);
--- a/usr.sbin/sysinstall/menus.c
+++ b/usr.sbin/sysinstall/menus.c
@ -235,6 +235,7 @@ DMenu MenuIndex = {
      { " FTP sites",		"The FTP mirror site listing.",		NULL, dmenuSubmenu, NULL, &MenuMediaFTP },
      { " Gateway",		"Set flag to route packets between interfaces.", dmenuVarCheck, dmenuToggleVariable, NULL, "gateway=YES" },
      { " HTML Docs",		"The HTML documentation menu",		NULL, docBrowser },
+      { " inetd Configuration",	"Configure inetd and simple internet services.",	dmenuVarCheck, configInetd, NULL, "inetd_enable=YES" },
      { " Install, Standard",	"A standard system installation.",	NULL, installStandard },
      { " Install, Express",	"An express system installation.",	NULL, installExpress },
      { " Install, Custom",	"The custom installation menu",		NULL, dmenuSubmenu, NULL, &MenuInstallCustom },
@ -1332,7 +1333,7 @@ DMenu MenuNetworking = {
      { " Gateway",	"This machine will route packets between interfaces",
 	dmenuVarCheck,	dmenuToggleVariable, NULL, "gateway_enable=YES" },
      { " inetd",	"This machine wants to run the inet daemon",
-	dmenuVarCheck,	dmenuToggleVariable, NULL, "inetd_enable=YES" },
+	dmenuVarCheck,	configInetd, NULL, "inetd_enable=YES" },
      { " NFS client",	"This machine will be an NFS client",
 	dmenuVarCheck,	dmenuToggleVariable, NULL, "nfs_client_enable=YES" },
      { " NFS server",	"This machine will be an NFS server",
--- a/usr.sbin/sysinstall/sysinstall.h
+++ b/usr.sbin/sysinstall/sysinstall.h
@ -447,6 +447,7 @@ extern int	configXSetup(dialogMenuItem *self);
 extern int	configXDesktop(dialogMenuItem *self);
 extern int	configRouter(dialogMenuItem *self);
 extern int	configPCNFSD(dialogMenuItem *self);
+extern int	configInetd(dialogMenuItem *self);
 extern int	configNFSServer(dialogMenuItem *self);
 extern int	configWriteRC_conf(dialogMenuItem *self);
 extern int	configSecurityProfile(dialogMenuItem *self);