Re: [TCLUG:5793] security (some pre-coffee thoughts)...

[Peter Lukas <peter@math.umn.edu>]

On Tue, 4 May 1999, Tim Wilson wrote:

> > * comment out all undesired services in /etc/inetd.conf 
> 
> What is the relationship between /etc/inetd.conf and /etc/services? Do you
> need to comment out lines in both files or just /etc/inetd.conf?
> 
The inet daemon parses /etc/inetd.conf for any available services such as
ftp, pop, rlogin, rexec, smtp, etc.  Commenting out these services in
/etc/inetd.conf tells inetd to ignore any requests for these services.
You may want to leave the "auth" entry in for logging purposes.

> > * Kill the xfs that RH6.0 ships with and get the fonts directly from X.
> 
> What is the danger of using xfs? I must say, the fonts look a lot better
> on my RH6 system than they did before. (I realize pretty fonts and system
> security are two different things. I wouldn't even have X on my server if 
> I didn't need it for the UPS software.)
> 

The X font server (xfs) allows for TrueType fonts to be displayed on the
system.  It's the easiest and most capable method of displaying TrueType
fonts on your X server.  It's not entirely dangerous although some
versions allowed for buffer overflows via a file in /tmp.  Additionally,
the xfs daemon UNIX:7100 enables most anyone to begin using your fonts
from anywhere by default.  For example, if I am in China, I could point my
X server's font entry to your font server in Minnesota (you can already
see where this will lead).  If xfs was built to be libwrap-aware, this
would be a little easier to control with tcp_wrappers.  I'm not sure if
this has been done yet.

Peter Lukas