[937] in linux-security and linux-alert archive
Re: [linux-security] about in.identd
daemon@ATHENA.MIT.EDU (Ian Jackson)
Sat Jul 20 20:06:29 1996
Date: Fri, 19 Jul 96 22:50 BST
From: Ian Jackson <ian@chiark.chu.cam.ac.uk>
To: Alan Cox <alan@cymru.net>
Cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <199607182004.VAA22344@snowcrash.cymru.net>
Alan Cox writes ("Re: [linux-security] about in.identd"):
> > root? you don't need root permissions to lookup who owns a port, and there
> > are a few other programs that inetd spawns that bind to ports under 1024
> > that don't run as root [systat comes to mind].
> >
> > so why run it as root? are we just asking for trouble?
>
> I guess for history reasons (most identds dive into the kmem) - we have
> /proc so it seems we should run it as nobody
impren:~> grep ident /etc/inetd.conf | expand -1
ident stream tcp nowait nobody /usr/sbin/identd identd -i
impren:~>
This is how Debian sets it up by default.
Ian.
[REW: So we should all go out and edit our inetd.conf files. While
you're are at it, I suggest that you also disable services as "systat"
and "netstat". Make sure that the UID you run your services as really
exists. Otherwise the "change uid to xxx" may fail and it might run as
root anyway.
We're also agreed (I hope) on the fact that "indentd" running as root
has nothing to do with the original breakin report.]