RH Taroon Beta Open Ports

Felipe Alfaro Solana felipe_alfaro at linuxmail.org
Mon Aug 25 19:36:11 UTC 2003


On Mon, 2003-08-25 at 20:18, Steve Dickson wrote:

> >Which local processes? We've already heard about sgi_fam, and we already
> >know about NIS and NFS, but is this really worth leaving it listening on
> >external interfaces in a _default_ install?
> >
> third party applications of our beloved customers... There are 
> *probably* a few more
> applications other than NFS and NIS that need to advertise ports.... 
> Remember the
> RPC subsystem has been around for a very long time which means we really 
> don't
> what we would be breaking by turning it off... Just because you don't 
> know about
> something..... does not mean they don't exist....

In my humble opinion, sometimes we must take decisions that make
difficult mantaining compatibility. However, if these decisions are
targeted to achieve improved security, I think we have a reason in our
favor. NFS is not very secure by nature (except NFSv4).

If we want to mantain compatiblity with third-party products, I suggest
that during upgrades, the portmap and company be left at their original
settings. However, for new installations, I think we should disable
them, or at least, force them to bind to the loopback interface
exclusively. Then, I would put a *big* note into the Release Notes
stating behavior changes in those services.

Red Hat (or anyone) can't be liable for a behavior change that is well
documented in the Release Notes and aims at security: if an
administrator performs a fresh install of Red Hat Linux, then installs
third-party products and checks that some things don't work, then, if
he/she hasn't read the Release Notes, he/she should be sent to the IT
hell ;-)

Just my two cents of Euro.





More information about the devel mailing list