1
0
mirror of https://git.FreeBSD.org/src.git synced 2024-12-25 11:37:56 +00:00
Commit Graph

70 Commits

Author SHA1 Message Date
Jacques Vidrine
a8e0b2e8ab Remove rexecd(8), a server that implements a particularly insecure
method of executing commands remotely.  There are no rexec clients in
the FreeBSD tree, and the client function rexec(3) is present only in
libcompat.  It has been documented as "obsolete" since 4.3BSD, and its
use has been discouraged in the man page for over 10 years.
2005-06-10 20:52:36 +00:00
Jens Schweikhardt
d8beb0fd3b Removed whitespace at BOF, EOL & EOF. 2004-06-06 11:46:29 +00:00
Max Laier
042d501cc7 Style:
- do not comment out entries in newsyslog.conf
 - use tabs to line up inetd.conf

Requested by:	bde
Approved by:	bms(mentor)
2004-04-03 17:52:29 +00:00
Dag-Erling Smørgrav
dc9e0bf4e5 Turn on logging for tftpd. 2004-03-11 22:15:28 +00:00
Max Laier
cf339f9bb9 ftp-proxy no longer lives in /usr/local/...
Noticed by:	Pyun YongHyeon
Approved by:	bms(mentor)
2004-03-10 15:06:17 +00:00
Alex Dupre
c99b727a37 Fix typos.
Approved by:	blackend (mentor/implicitly)
2004-03-08 23:18:50 +00:00
Max Laier
8d69c48be5 Link pf to the build and install:
This adds the former ports registered groups: proxy and authpf as well as
the proxy user. Make sure to run mergemaster -p in oder to complete make
installworld without errors.

This also provides the passive OS fingerprints from OpenBSD (pf.os) and an
example pf.conf.

For those who want to go without pf; it provides a NO_PF knob to make.conf.

__FreeBSD_version will be bumped soon to reflect this and to be able to
change ports accordingly.

Approved by:	bms(mentor)
2004-03-08 22:03:29 +00:00
Mark Murray
824de7507e Bit of modernising. Remove old KerberosIV entries, add example
sshd entries, sort internal services the same as everywhere
else.
2003-06-09 21:04:30 +00:00
Yaroslav Tykhiy
6d570e6413 Since FreeBSD has never had a stock NNTP server, move the nntp line
down to the section of optional mail/news services.  Change the nntpd
location to /usr/local/libexec since it's an optional software.

Henceforth, nntpd will be advised to run as "news", which is a
standard user in the system, instead of "usenet", which has never
existed in the default master.passwd(5).
Note: It's not "news:news" since inetd(8) runs a service at the
specified user's login group by default.

Add a blank comment line above the uucpd line so the section looks uniform.

Partly pointed out by:	Alexey Neyman <alex.neyman at auriga.ru>
MFC after:		1 week
2003-06-06 08:54:29 +00:00
David E. O'Brien
a6f8d995f3 [DAIVD O'BRIEN's OPINION]
Head off what I think is an abuse of the TRB, and disable lukemftpd.
2002-11-12 17:31:12 +00:00
David E. O'Brien
a029577b46 Tweak the warning language. 2002-10-29 08:41:12 +00:00
Robert Watson
93af0c0187 # WARNING: lukemftpd does not support PAM, MAC, per-class nologin files,
# or any login.conf resource limits or features; use it only if this is
# appropriate for your environment.  If you require these features, use
# the regular FreeBSD ftpd below.

Discourage users from using lukemftpd if they rely any of these standard
FreeBSD features that are fully supported by our native ftpd.  There
may be other features that are not yet supported that I have not yet
discovered.
2002-10-24 15:46:10 +00:00
Gordon Tetlow
5e6fcb8ccc Correct comment. We use rpcbind now, not portmap
Submitted by:	Mike Makonnen <makonnen@pacbell.net>
2002-08-09 17:34:13 +00:00
Hajimu UMEMOTO
4dfe2f93fb Add an IPv6 sample line for tftpd.
MFC after:	2 weeks
2002-04-11 17:17:28 +00:00
David E. O'Brien
4ebfe536d8 Add a sample line for lukemftp. 2002-03-26 19:54:12 +00:00
Dima Dorfman
2f1791f580 In the words of the submitter:
Kerberized CVS (kserver) listens on the same port as normal CVS
        (pserver).  In /etc/inetd.conf cvs kserver is disabled by default,
        but set to listen to the service port 'cvs' which doesn't exist.  It
        should listen to 'cvspserver'.

PR:		34317
Submitted by:	Sean Chittenden <sean@chittenden.org>
2002-03-09 04:55:35 +00:00
Maxim Konovalov
d60b85c4d7 Fix a typo in swat example.
Spotted by:	Sergey Osokin <osa@freebsd.org.ru>
Reviewed by:	ru
Approved by:	ru
MFC after:	1 week
2002-02-13 08:21:45 +00:00
David E. O'Brien
b1f2952a35 Chroot to /tftpboot for tftp.
Reviewed by:	mdodd, peter
2001-10-22 01:46:53 +00:00
David E. O'Brien
260a117141 Fix tabbing damage in last commit. 2001-10-10 17:26:27 +00:00
Jordan K. Hubbard
803d3eb188 Add commented-out/prototype entries for samba's swat configuration tool.
Requested by:	"William Wong" <willwong@samurai.com>
MFC after:	1 week
2001-10-03 05:30:56 +00:00
Kris Kennaway
a06da08de5 Move the uucpd entry down a bit to live with other optional services
and correct the path to /usr/local as an example.

Submitted by:	ru
2001-10-01 09:16:42 +00:00
Robert Watson
f2419a7154 Default to disabling all inetd.conf entries, in particular, telnetd
and ftpd.  This more conservative default reduces the exposure of
freshly installed machines, which is especially valuable for machines
that receive minimal further configuration before being put into
production.  Generally speaking, SSH has superseded the use of both
telnet and ftp in many environments.  In light of recent remotely
exploitable security holes in both telnetd and ftpd, this choice
retains flexibility (both telnetd and ftpd daemons remain installed
and easily enableable) while protecting users who don't need the
additional risk.  This change brings our configuration into line with
the majority of other UNIX vendors, including OpenBSD and NetBSD.

To address the concerns of those requiring remote access via telnet
from first install, changes will shortly be committed to sysinstall
to provide the ability to edit inetd.conf during the installation
process, allowing telnetd and ftp to be re-enabled during the
installation process.

While I'm at it, slightly improve commenting for inetd.conf so that
it's more clear to users how to enable and disable services.
Further commenting to indicate the functions of various columns would
probably also be useful.

Reviewed by:	imp, chris, jake, nate, -arch, -stable
2001-08-02 02:19:56 +00:00
Peter Wemm
b2e9880db0 Integrate the IPv6 entries with the rest of them to avoid things getting
out of sync.  A similar change was made by itojun on the OpenBSD tree
a few weeks ago.  This should stop people disabling one server and
forgetting the other one (eg: ftp and/or telnet)
2001-03-30 10:25:40 +00:00
Kris Kennaway
fecb6ab363 Disable rsh and rlogin by default. ssh and telnet are still available for
remote access on default installations.
2000-10-04 07:56:16 +00:00
Jordan K. Hubbard
da701298c0 Turn fingerd OFF by default. Comparative essentials like telnetd
are bad enough, but finger is hardly a critical system service and
it's traditionally been vulnerable to a variety of attacks; anybody
remember RTFM and his worm?
2000-10-03 00:08:15 +00:00
John Baldwin
2ef9d32b29 Fix a misspelling in the comments for tha IPv6 auth service and change them
to more closely resembles those in the IPv4 sction.
2000-03-25 21:17:24 +00:00
Yoshinobu Inoue
2df52745e8 Fix a typo. (s/eExample/Example/)
Submitted by: Robert Muir <rmuir@looksharp.net>
2000-03-05 20:23:44 +00:00
Yoshinobu Inoue
c66bb85011 Add IPv6 services into inetd.conf.
Also enable some standard IPv6 apps by default.
These entries will be simply ignored on systems with no INET6 defined.

Approved by: jkh
Suggested by: peter
2000-02-27 18:39:34 +00:00
Daniel Baker
dcca9856c6 Include a note below the example qmail entry that mentions that inetd is
no longer the correct way to have qmail handle incoming qmail smtp
connections.  Also provide a url to the correct method.
2000-01-10 20:02:28 +00:00
Peter Wemm
6e6afaaf50 Update the cvs pserver example so that it gives some more obvious clues
about the --allow-root switch.

PR:		14463
1999-12-26 15:18:58 +00:00
Peter Wemm
9b7a44a60e $Id$ -> $FreeBSD$ 1999-08-27 23:37:10 +00:00
Brian Feldman
22a8ff637d Add -n to the example and explanation of the internal auth service. 1999-07-24 17:19:54 +00:00
Sheldon Hearn
3467b84849 Document the -o and -t options to the internal auth service and give an
example of their usage in the sample config. Merge the two examples
for the green internal auth service.

This commit failed the first time around because Brian beat me to the
punch on inetd.8 . I like my descriptions better and I'm pretty sure
Brian won't mind.
1999-07-23 15:49:34 +00:00
Brian Feldman
e1e112f9a0 I think the last revision got lost here. Identd needs to be run as root,
at least for now. I relegated the getcred sysctls to only root, but if
they're deemed to be "allowable" to export to users, I'll do so and
revert this change.
1999-07-16 16:24:13 +00:00
Sheldon Hearn
2ab0563dfe Document the new {auth,ident,tap} service and provide examples in the
configuration file.

Requested by:	green
1999-07-16 15:41:14 +00:00
Brian Feldman
d33eb4c802 This is the working internal ident service. Turn it on by setting
the make variable REAL_IDENT, and ~/.fakeid support can be added
with FAKEID set. Note that the default behavior is the same as
the old behavior.
1999-07-15 01:34:02 +00:00
Andrey A. Chernov
a752e66f03 Due to recent pidentd port changes (switch to sysctl), identd must be
runned as root again, not kmem:kmem
1999-07-15 01:06:13 +00:00
Matthew Dillon
822ef72a9d comsat sandbox prevents biff/comsat from being able to print partial
mailbox contents.  comsat instead simply prints that new mail is
    available.  Add appropriate comment to inetd.conf but leave comsat in
    sandbox.
1998-12-01 22:01:59 +00:00
Matthew Dillon
ac48aa416a Added group bind(53), added sandbox users tty(4), kmem(5), and bind(53),
adjustd inetd.conf to run comsat and ntalk from tty sandbox, and
    the (commented out) ident from the kmem sandbox.

    Note that it is necessary to give each group access it's own uid to
    prevent programs running under a single uid from being able to gdb
    or otherwise mess with other programs (with different group perms) running
    under the same uid.
1998-12-01 21:19:49 +00:00
Poul-Henning Kamp
83713d0b04 Add example for the internal "ident server". 1998-11-04 19:42:35 +00:00
Wolfram Schneider
b78e5d76ba Limit the fingerd daemon to:
runs only 3 simultaneous fingerd processes and
        limit the connections-per-ip-per-minute to 10.
1998-09-30 16:12:40 +00:00
Brian Somers
a19eda1f28 Add Id keywords 1998-09-02 01:34:57 +00:00
Mark Murray
da892a30fd Clean up the kerberos entries, and add example CVS entries 1998-08-15 17:32:27 +00:00
Tim Vanderhoek
e3d2337be7 MFC: sample qmail entry. 1998-07-18 20:01:03 +00:00
Jordan K. Hubbard
0b104e4078 Restore the Samba entries which were spammed when someone added
the imap4 entry.
1997-09-28 22:25:29 +00:00
Andrey A. Chernov
6930f84b7b Add commented out example entry for imap4 1997-01-12 17:55:16 +00:00
Peter Wemm
7737a49d16 The kerberised network services should only be active in inetd.conf
if kerberos is installed.  So far as I'm aware, kerberos aware clients
detect ECONNREFUSED and (if allowed) fall back to the non-kerberos
servers.  They do not know how to interpret messages such as
"rlogind: unknown option -k".

I believe Garrett also mentioned this.

Unfortunately, this adds an extra step to bringing up kerberos.

It also stops /var/log/messages getting quite so many useless (and
confusing) error messages when somebody does a port scan on you.
1996-11-10 13:06:14 +00:00
Paul Traina
9080596148 In the brave new world, that that does not make us strong, kills us.
Turn OFF the "small servers" by default.  FreeBSD systems should only
serve actively used programs.  Jewels like chargen and echo are too
useful in attack scenarios.
1996-10-02 03:52:58 +00:00
Poul-Henning Kamp
6d26aec672 Add commented out example for bootps 1996-09-19 08:19:25 +00:00
Thomas Graichen
7c1caee10f changed /etc/[daily,weekly,monthly] to not rotate the logfiles by
"hand", changed /etc/crontab to call /usr/sbin/newsyslog every hour
(the entry was there before - but we haven't had any newsyslog until
today :-) and changed /etc/inetd.conf to also contain (commentet out)
entries for rpc.rquotad and rpc.sprayd (taken from NetBSD)
1996-01-05 10:09:13 +00:00