i was trying out different firewall setting lately and i discovered that fam (my box is also gnome workstation) does listen to non-local requests by default. from what i read in manpage, when started by inetd (rc-starting script that is) "local_only = true" config option is ignored, and one should use -L command-line argument to ensure accepting only local requests. i edited fam starting script, and bingo! nmap doesn't see 8xx open port anymore. i'm no security expert, but i think 'local only' fam would be more secure default setting. still don't know how to make sunrpc (tcp 111, from portmap, which is started by fam rc-script) listen only on local interface. regards, artb.
Hm, first of all: disclaimer - I am not a gentoo developer. :-) I just saw your bugreport and it sounds - well "interesting" at least... ;-) I just tried to check this. But...are you sure? As for me fam seems to be started directly as deamon when using the /etc/init.d/fam init-script and not through inetd! start-stop-daemon --start --quiet --exec /usr/bin/fam --background \ -- -T 0 -c /etc/fam.conf netstat -tap says: LISTENPID/Program name tcp 0 0 localhost:933 *:* LISTEN 28741/fam Excuse me if I am wrong. Anyway - I just learnt that there is an -L option! :-) PS: using fam-oss 2.6.9-r1
foser is this really a security issue ?
Hi all. Hm...just to add a piece of information as I already did interfere shamelessly here. Let me sum up: man fam says: --- snip ---- -L Local-only mode. fam will only accept requests from clients running on the local machine. This overrides the local_only flag in the configuration file. This option is ignored if fam is started by inetd. --- /snip --- /etc/fam.conf (default) says: --- snip --- # local_only makes fam ignore requests from remote clients & remote fams. # Note that this is ignored if fam is started by inetd. # # The -L command-line argument overrides this option. # local_only = true --- /snip --- --- snip --- # ps -auxw | grep fam ds 2732 0.0 0.6 3312 1564 ? S 21:14 0:00 /usr/bin/fam -T 0 -c /etc/fam.conf --- /snip --- -> init-script does use /etc/fam.conf ("local_only" enabled). -> if -L is beeing specified fam.conf setting will be ignored. So this problem _should_ only arise if you start fam from inetd and do not specify -L. Or if you start it directly from CLI. That said IMHO it would be questionable to add "-L" in /etc/init.d/fam ("just to be sure") as fam.conf should work and one would expect fam to use the setting as specified in fam.conf - it has not been started from inetd... Artur, listening to localhost only does make sense for sure. But it should already only listen to localhost with current gentoo settings as far as I see this. But I already said that I am no developer, did I? On the other hand I do deal with network security as profession so...
It is a security issue, but our suggested use is the init.d script which does honour the fam.conf provided (with local_only=true). If someone would like to use fam trough inetd instead they would have to change settings on their own and i suppose they would read the docs (or they should really ;)). Putting '-L' in the init.d script is redundant and might cause confusion. We're not starting fam as inetd service as the initial post suggested, so noone should be. Mainly repeating here what the shameless Daniel before me said ;) But it does make me wonder why he claims that fam does open a port for him, reporter can you in any way confirm (some output), that the basic fam install opens a port to the outside for you when using the rc script as provided by Gentoo ? For me, i just scanned my machine from the outside and fam didnt show up.
no new arguments, i think i can dismiss this one or reporter answer the questions in comment #4
I just noticed that fam.conf on my machine had local_only = false and I've never edited the file, so at some point the default was local_only = false. I also had the old /etc/init.d/fam init script, so I'm guessing this was from before they renamed it to famd.
