method of executing commands remotely. There are no rexec clients in
the FreeBSD tree, and the client function rexec(3) is present only in
libcompat. It has been documented as "obsolete" since 4.3BSD, and its
use has been discouraged in the man page for over 10 years.
This adds the former ports registered groups: proxy and authpf as well as
the proxy user. Make sure to run mergemaster -p in oder to complete make
installworld without errors.
This also provides the passive OS fingerprints from OpenBSD (pf.os) and an
example pf.conf.
For those who want to go without pf; it provides a NO_PF knob to make.conf.
__FreeBSD_version will be bumped soon to reflect this and to be able to
change ports accordingly.
Approved by: bms(mentor)
down to the section of optional mail/news services. Change the nntpd
location to /usr/local/libexec since it's an optional software.
Henceforth, nntpd will be advised to run as "news", which is a
standard user in the system, instead of "usenet", which has never
existed in the default master.passwd(5).
Note: It's not "news:news" since inetd(8) runs a service at the
specified user's login group by default.
Add a blank comment line above the uucpd line so the section looks uniform.
Partly pointed out by: Alexey Neyman <alex.neyman at auriga.ru>
MFC after: 1 week
# or any login.conf resource limits or features; use it only if this is
# appropriate for your environment. If you require these features, use
# the regular FreeBSD ftpd below.
Discourage users from using lukemftpd if they rely any of these standard
FreeBSD features that are fully supported by our native ftpd. There
may be other features that are not yet supported that I have not yet
discovered.
Kerberized CVS (kserver) listens on the same port as normal CVS
(pserver). In /etc/inetd.conf cvs kserver is disabled by default,
but set to listen to the service port 'cvs' which doesn't exist. It
should listen to 'cvspserver'.
PR: 34317
Submitted by: Sean Chittenden <sean@chittenden.org>
and ftpd. This more conservative default reduces the exposure of
freshly installed machines, which is especially valuable for machines
that receive minimal further configuration before being put into
production. Generally speaking, SSH has superseded the use of both
telnet and ftp in many environments. In light of recent remotely
exploitable security holes in both telnetd and ftpd, this choice
retains flexibility (both telnetd and ftpd daemons remain installed
and easily enableable) while protecting users who don't need the
additional risk. This change brings our configuration into line with
the majority of other UNIX vendors, including OpenBSD and NetBSD.
To address the concerns of those requiring remote access via telnet
from first install, changes will shortly be committed to sysinstall
to provide the ability to edit inetd.conf during the installation
process, allowing telnetd and ftp to be re-enabled during the
installation process.
While I'm at it, slightly improve commenting for inetd.conf so that
it's more clear to users how to enable and disable services.
Further commenting to indicate the functions of various columns would
probably also be useful.
Reviewed by: imp, chris, jake, nate, -arch, -stable
out of sync. A similar change was made by itojun on the OpenBSD tree
a few weeks ago. This should stop people disabling one server and
forgetting the other one (eg: ftp and/or telnet)
are bad enough, but finger is hardly a critical system service and
it's traditionally been vulnerable to a variety of attacks; anybody
remember RTFM and his worm?
Also enable some standard IPv6 apps by default.
These entries will be simply ignored on systems with no INET6 defined.
Approved by: jkh
Suggested by: peter
example of their usage in the sample config. Merge the two examples
for the green internal auth service.
This commit failed the first time around because Brian beat me to the
punch on inetd.8 . I like my descriptions better and I'm pretty sure
Brian won't mind.
at least for now. I relegated the getcred sysctls to only root, but if
they're deemed to be "allowable" to export to users, I'll do so and
revert this change.
adjustd inetd.conf to run comsat and ntalk from tty sandbox, and
the (commented out) ident from the kmem sandbox.
Note that it is necessary to give each group access it's own uid to
prevent programs running under a single uid from being able to gdb
or otherwise mess with other programs (with different group perms) running
under the same uid.
if kerberos is installed. So far as I'm aware, kerberos aware clients
detect ECONNREFUSED and (if allowed) fall back to the non-kerberos
servers. They do not know how to interpret messages such as
"rlogind: unknown option -k".
I believe Garrett also mentioned this.
Unfortunately, this adds an extra step to bringing up kerberos.
It also stops /var/log/messages getting quite so many useless (and
confusing) error messages when somebody does a port scan on you.
Turn OFF the "small servers" by default. FreeBSD systems should only
serve actively used programs. Jewels like chargen and echo are too
useful in attack scenarios.