Cramsession Linux Newsletter

                    LINUX NEWS
            http://www.Cramsession.com
          November 14, 2002 - Issue #107

TABLE OF CONTENTS

1) Sean’s Notes

2) Linux News

Name Calling Isn't Working
Multiple Vulnerabilities in BIND 4 and 8
MySQL and NuSphere Settle
Solaris Desktop Initiatives

3) Linux Resources

Only 101?
Miscellaneous Unix Tips
Bugzilla. It's Where the Bugs Are
Please, Satisfy My Curiosity

4) App o’ the Week

~~~~~~~~~~~~~~~~~~~~~~~~ ADVERTISEMENT ~~~~~~~~~~~~~~~~~~~~~~~~~

Better Practice Tests at a Better Price! PrepLogic is raising the bar. You deserve the highest quality practice tests but you shouldn’t have to pay the highest price. Our practice tests are written by experienced Certified IT Professionals and designed to help you pass the first time. PrepLogic gives you superb, affordable quality. Still not convinced? Download a FREE demo or buy it and try it:

http://ad.brainbuzz.com/?RC153&AIW69

For information on how to advertise in this newsletter
please contact mailto:adsales@CramSession.com or visit
http://cramsession.com/marketing/default.asp

-------------------------
1) Sean's Notes
-------------------------

As I flip through past issues of the Cramsession Linux
Newsletter, I'm noticing that I've glossed over xinetd, but
haven't gone over its operation. I've given examples of using it
to set up a POP or IMAP server, and even gone as far as writing
a web server in Bourne shell that was powered by xinetd, but a
look at its features isn't there.

xinetd's job is to listen for incoming network connections on
behalf of other programs, and to pass control on to them. Rather
than have a dozen daemons sitting around, listening for
connections and wasting resources, xinetd does it in a more
efficient manner. Since it's a central point for many services,
it's also a great place to apply access controls, and relieve
the individual daemon of the job. Things that get many
connections like a web server aren't a good fit for xinetd, nor
are heavyweight processes like SSH. These normally run as their
own daemon.

xinetd is a modern replacement for inetd, which dates back to
the early days of Unix. It has several advantages over the
original inetd. Its configuration file syntax is more verbose,
and easier to understand than inetd's terse, one line per
service model. Rather than bolting on TCP Wrappers to control
access like inetd did, xinetd links in the wrapper libraries and
takes care of it all behind the scenes (also allowing you to
apply policy to UDP services). More security features were added
to xinetd to control logging and connection rates. In short, I
can't think of a reason you'd choose inetd over xinetd.

The configuration for xinetd tends to live in /etc/xinetd.d,
with the master configuration in /etc/xinetd.conf. xinetd.conf
sets the defaults, and then has a directive to include all the
files in xinetd.d. Thus, each service has its own file, making
packaging and maintenance a snap. The most important thing to
remember is that any changes to the configuration require a
restart of xinetd. The quickest way is:

killall -HUP xinetd

or a complete stop/start.

Each service has a configuration format like:

service <name> {
   attribute = value
   attribute = value
}

"name" comes right out of /etc/services, which provides the
mapping from TCP/UDP port numbers to name. For example, the
line for POP3 looks like:

pop3            110/tcp         pop-3

This says that "pop3" and "pop-3" are aliases for TCP port 110,
the POP3 service. Thus, the stanza for pop3 will look like:

service pop3 {
   attribute = value
   ...
}

It will also generally be stored in its own file, such as
/etc/xinetd.d/pop3.

The attributes and values do the real work, though. One
attribute that is helpful is the "what do I run to provide this
service?" attribute, namely the server:

server = /usr/sbin/popper

This tells xinetd to run /usr/sbin/popper whenever a connection
comes into the pop3 port. If we wanted to pass it some
arguments, say -c to force all usernames to lower case,

server_args = -c

will do the trick. Since popper needs root access to run, we
should say that too:

user = root

If you can get away with running a daemon with lower
privileges, here would be the place.

Two other things we'll need to make it work are the socket type
(stream or dgram for TCP and UDP respectively), and "wait".
This tells xinetd how to handle multiple requests.

wait = yes

...tells xinetd not to accept any more requests for the service
until the running instance of the service exits.

wait = no

...is what we'll usually use, so that it "forks and forgets"
the service so that multiple simultaneous users can be served.

That's the bare minimum you need to start a new service in
xinetd. To temporarily disable it, you can add "disable = yes".
This is probably the way your distribution ships, so you'll need
to fix that up.

Now that the service is enabled, it would be smart of us to
limit just who can connect.

only_from = 192.168.0.0/24, 127.0.0.1

...will only let the local network (192.168.0.0->0.255) and the
local host to connect.

Alternatively, you can use /etc/hosts.allow and /etc/hosts.deny
to control this access. I tend to put...

ALL:ALL

...in /etc/hosts.deny to block everyone, and then specifically
allow people in in /etc/hosts.allow:

popper: 192.168.0.0/255.255.255.0, 127.0.0.1

(Notice that I had to spell out the netmask with hosts.allow...
for some reason it doesn't like the shorthand.)

Now that access control is out of the way, protecting ourselves
from the authorized users is the next order of business:

instances
nice

That limits xinetd from having more than 10 POP daemons running,
and sets the nice value to 15, meaning that the processes run at
a lower priority (a high nice value means the process is, well,
"nice", and gives way to less nice processes. For more info,
check out http://ertw.com/~sean/news/Apr-26-2001.html)

Logging is also helpful:

log_on_success += DURATION

"+=" is a new one here. If you check the master xinetd.conf,
you'll see a default of...

log_on_success = HOST PID

...is there, meaning to log the connecting host, and the PID of
the daemon. "+=" adds something to that, in this case, the
duration of the connection.

Well, that's xinetd in a nutshell. It's got more features than
I could write about this week, but the following man pages will
help you out:

Configuration: xinetd.conf(5)
xinetd itself: xinetd(8)
hosts.allow/hosts.deny: hosts_access(5)

The number after the name directs you to the proper section,
since some of the pages I gave you exist in multiple places,
with the defaults usually being unhelpful to non-developers.
For more information on how to use the man system:

http://ertw.com/~sean/news/Jul-26-2001.html

Again, don't forget to restart xinetd after you make changes!


Long live the Penguin,

Sean
mailto:swalberg@cramsession.com


-------------------------
2) Linux News
-------------------------

--------------------------
Name Calling Isn't Working
--------------------------

"Microsoft believes many of its efforts to market its products
against Linux and open source are backfiring, according to an
internal memo leaked and posted on the Internet." Seems they're
going to try to win on TCO now. What next? "We've got nicer
packaging than Linux. Buy our stuff!"?

http://www.informationweek.com/story/IWK20021107S0004


----------------------------------------
Multiple Vulnerabilities in BIND 4 and 8
----------------------------------------

A few bugs have cropped up in BIND 4 and 8. Right now, it looks
like various denial of service attacks, and one DNS poisoning
attack. Not fun, so you'd better upgrade!

http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid!4
69


-------------------------
MySQL and NuSphere Settle
-------------------------

This concludes a long standing legal battle between these two
companies over the GPL status of the NuSphere modifications and
subsequent alleged misrepresentation.

http://www.mysql.com/press/release_2002_14.html


---------------------------
Solaris Desktop Initiatives
---------------------------

When I originally found this story, it was being billed as
"Solaris to become LSB compliant". However, it's much more, as
there are various news items about what SUN is doing on the
desktop front, and how it relates to their Linux initiatives.

http://www.theregister.co.uk/content/4/28020.html


-------------------------
3) Linux Resources
-------------------------

---------
Only 101?
---------

Here's a list of 101 things that Mozilla can do that IE can't.
For me, tabbed browsing tops the list, but the other 100 are
handy to have, too.

http://www.xulplanet.com/ndeakin/arts/reasons.html


-----------------------
Miscellaneous Unix Tips
-----------------------

This page has some handy shell fragments that you can put in
your system's /etc/profile script so that it will apply to all
users, and limit how many times, or from where your users log
in. There is also some advice on building long commands.

http://www.unixreview.com/documents/st59/uni1037029674539/


----------------------------------
Bugzilla. It's Where the Bugs Are
----------------------------------

Did you know that Red Hat's bug database is publicly accessible?
It's a great place to find out about problems with the latest
release. Since Red Hat support people answer the tickets, you'll
often find where to get the patches or instructions to fix your
problems.

https://bugzilla.redhat.com/bugzilla/query.cgi


----------------------------
Please, Satisfy My Curiosity
----------------------------

With the creation of the new RHCT certification, I was
interested in hearing if that was making people more likely to
take a Red Hat certification exam. Will it? Take this poll and
add your comments.

http://boards.cramsession.com/boards/vbm.asp?mf1949


-------------------------
4) App o' the Week
-------------------------

This is a sick game. Basically it's a 3D simulation of pushing
someone down the stairs, with an emphasis on correct physics.
It's surprisingly addictive, it had half my office running it.
It's a Windows executable, but I've heard some reports of it
running under WINE.

http://taat.fi/taat/porrasturvat/


-------------------------
(C) 2002 BrainBuzz.com, Inc. All Rights Reserved.
-------------------------
-------------------------

          This message is from CramSession

You are currently subscribed to the following list
   Hottest Linux News and Resources
   as: sean@ertw.com

To un-subscribe from this newsletter by e-mail,
   send a blank email message to:
   mailto:leave-linuxnews-3825955Y@list.cramsession.com

To subscribe to this newsletter and many others visit
our site at:
http://newsletters.cramsession.com/signup/default.asp

-------------------------------------------------------