[2664] in SIPB_Linux_Development
comments on 5.2 beta installation
daemon@ATHENA.MIT.EDU (mhpower@MIT.EDU)
Thu Feb 18 23:54:41 1999
From: mhpower@MIT.EDU
Date: Thu, 18 Feb 1999 23:54:30 -0500
To: linux-dev@MIT.EDU
I did a full local installation of the Linux-Athena 5.2 beta, using
all of the defaults for packages and enabled services.
I'd suggest that the default network software be changed in these ways:
-- don't have an entry for linuxconf in /etc/inetd.conf. As far as I
can tell, the linuxconf program runs fine without an inetd.conf
entry, when run from the local machine. If the linuxconf inetd
service is accessed from any machine (even the local machine),
that client machine gets, by default, a
500 access denied: check networking/linuxconf network access
error message. If /etc/conf.linuxconf is edited to allow access from
another machine via http, the other machine gets access to make
configuration changes by sending the root password over the net in
the clear (actually with the usual base64 encoding for http basic
authentication). Since we'd prefer that people don't send their root
passwrds over the net unencrypted, it'd seem best to make linuxconf
http access appear as unrecommended as possible by leaving it out of
inetd.conf.
-- don't enable portmap. I don't know of any reason why portmap would be
useful on a Linux client machine that doesn't offer any rpc-based
services. As far as I know, portmap/rpcbind has been enabled by
default on Athena supported client machines because, in the past,
there was some piece of third-party software that would only work
on machines on which portmap is running. I don't know of any such
software that exists for Linux. There is at least one new reported
portmap security concern, at http://www.mit.edu:8008/menelaus/bt/9288
-- if a user types "access_on", the machine then allows telnet logins
on the basis of passwords sent over the net in the clear. I'd suggest
changing the telnetd arguments in /etc/athena/inetd.conf to be
either "-a cred -e" or some other argument set including "-e".
(Obviously this makes telnet service unavailable unless the machine
has a srvtab.)
-- probably the same for ftpd, i.e., change inetd.conf to use "-a -E"
Here are a few other software concerns for the installation:
-- It appears that pam-0.64-3 gets installed. The version at
ftp://updates.redhat.com/5.2/i386 is pam-0.64-4
-- lsof, installed setgid kmem, appears to be the version with the
security hole from http://www.mit.edu:8008/menelaus/bt/9622 (I'm
not sure whether this warrants taking it out of Linux-Athena,
or just making a patch available once Red Hat issues one)
-- perhaps there should be user documentation somewhere (e.g.,
http://web.mit.edu/linux/www/FAQ/) mentioning that a user can
edit /etc/sysconfig/sendmail if they don't want their machine
to run a sendmail daemon that will accept incoming mail. Also
it should perhaps mention that the existing mail configuration
allows outsiders to relay mail through the machine. (A side issue
is that users should be careful to send their mail with an
appropriate envelope-from address if their Linux machine
doesn't accept incoming mail. It appears that the default has
the envelope-from address include the local machine's name,
rather than being "username@mit.edu".)
Also, I tried a large number of third-party applications out of afs
(mostly looking for anything that might require portmap), and found the
following behavior which perhaps should be reported to the respective
locker maintainers if it hasn't been already (note that, when running
these, I had ATHENA_SYS_COMPAT set to i386_linux2:i386_linux1):
-- Running applix gives me a warning message:
Exec of /afs/athena/software/swtools/bin/delete_cookie failed!
(the bin directory is a link to arch/@sys/bin, and there's no
i386_linux3 directory)
-- mswordview is not available in /mit/consult/arch/i386_linux3/bin
(it is in /mit/consult/arch/i386_linux2/bin, however)
-- /mit/geomview_v1.6.1/arch/i386_linux3/bin/geomview runs correctly;
however "add geomview; geomview" tells me "There doesn't seem to
be an executable called geomview for maple version 5r5 on this
platform" and suggests typing "add -f maple_v5r5" and "geomview",
which results in the same error message again.
-- running "add math; mathematica" gives me an error window stating "A
serious error has occurred during startup. You may continue, but
Mathematica may crash or exit suddenly. Error type: 199." Selecting
"Continue" does not result in the program running.
-- "add oed; ox2" appears to go into an infinite loop, spending a lot
of time running stat on files named "sh" and "ox2".
Matt
