Nov 14 2002


                    LINUX NEWS
            http://www.Cramsession.com
          November 14, 2002 - Issue #107


TABLE OF CONTENTS

1) Sean’s Notes

2) Linux News

Name Calling Isn't Working
Multiple Vulnerabilities in BIND 4 and 8
MySQL and NuSphere Settle
Solaris Desktop Initiatives

3) Linux Resources

Only 101?
Miscellaneous Unix Tips
Bugzilla. It's Where the Bugs Are
Please, Satisfy My Curiosity

4) App o’ the Week

~~~~~~~~~~~~~~~~~~~~~~~~ ADVERTISEMENT ~~~~~~~~~~~~~~~~~~~~~~~~~

Better Practice Tests at a Better Price! PrepLogic is raising the bar. You deserve the highest quality practice tests but you shouldn’t have to pay the highest price. Our practice tests are written by experienced Certified IT Professionals and designed to help you pass the first time. PrepLogic gives you superb, affordable quality. Still not convinced? Download a FREE demo or buy it and try it:

http://ad.brainbuzz.com/?RC153&AIW69

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

For information on how to advertise in this newsletter please contact mailto:adsales@CramSession.com or visit http://cramsession.com/marketing/default.asp


1) Sean’s Notes

As I flip through past issues of the Cramsession Linux Newsletter, I’m noticing that I’ve glossed over xinetd, but haven’t gone over its operation. I’ve given examples of using it to set up a POP or IMAP server, and even gone as far as writing a web server in Bourne shell that was powered by xinetd, but a look at its features isn’t there.

xinetd’s job is to listen for incoming network connections on behalf of other programs, and to pass control on to them. Rather than have a dozen daemons sitting around, listening for connections and wasting resources, xinetd does it in a more efficient manner. Since it’s a central point for many services, it’s also a great place to apply access controls, and relieve the individual daemon of the job. Things that get many connections like a web server aren’t a good fit for xinetd, nor are heavyweight processes like SSH. These normally run as their own daemon.

xinetd is a modern replacement for inetd, which dates back to the early days of Unix. It has several advantages over the original inetd. Its configuration file syntax is more verbose, and easier to understand than inetd’s terse, one line per service model. Rather than bolting on TCP Wrappers to control access like inetd did, xinetd links in the wrapper libraries and takes care of it all behind the scenes (also allowing you to apply policy to UDP services). More security features were added to xinetd to control logging and connection rates. In short, I can’t think of a reason you’d choose inetd over xinetd.

The configuration for xinetd tends to live in /etc/xinetd.d, with the master configuration in /etc/xinetd.conf. xinetd.conf sets the defaults, and then has a directive to include all the files in xinetd.d. Thus, each service has its own file, making packaging and maintenance a snap. The most important thing to remember is that any changes to the configuration require a restart of xinetd. The quickest way is:

killall -HUP xinetd

or a complete stop/start.

Each service has a configuration format like:

service <name> { attribute = value attribute = value }

“name” comes right out of /etc/services, which provides the mapping from TCP/UDP port numbers to name. For example, the line for POP3 looks like:

pop3 110/tcp pop-3

This says that “pop3” and “pop-3” are aliases for TCP port 110, the POP3 service. Thus, the stanza for pop3 will look like:

service pop3 { attribute = value … }

It will also generally be stored in its own file, such as /etc/xinetd.d/pop3.

The attributes and values do the real work, though. One attribute that is helpful is the “what do I run to provide this service?” attribute, namely the server:

server = /usr/sbin/popper

This tells xinetd to run /usr/sbin/popper whenever a connection comes into the pop3 port. If we wanted to pass it some arguments, say -c to force all usernames to lower case,

server_args = -c

will do the trick. Since popper needs root access to run, we should say that too:

user = root

If you can get away with running a daemon with lower privileges, here would be the place.

Two other things we’ll need to make it work are the socket type (stream or dgram for TCP and UDP respectively), and “wait”. This tells xinetd how to handle multiple requests.

wait = yes

…tells xinetd not to accept any more requests for the service until the running instance of the service exits.

wait = no

…is what we’ll usually use, so that it “forks and forgets” the service so that multiple simultaneous users can be served.

That’s the bare minimum you need to start a new service in xinetd. To temporarily disable it, you can add “disable = yes”. This is probably the way your distribution ships, so you’ll need to fix that up.

Now that the service is enabled, it would be smart of us to limit just who can connect.

only_from = 192.168.0.0/24, 127.0.0.1

…will only let the local network (192.168.0.0->0.255) and the local host to connect.

Alternatively, you can use /etc/hosts.allow and /etc/hosts.deny to control this access. I tend to put…

ALL:ALL

…in /etc/hosts.deny to block everyone, and then specifically allow people in in /etc/hosts.allow:

popper: 192.168.0.0/255.255.255.0, 127.0.0.1

(Notice that I had to spell out the netmask with hosts.allow… for some reason it doesn’t like the shorthand.)

Now that access control is out of the way, protecting ourselves from the authorized users is the next order of business:

instances nice

That limits xinetd from having more than 10 POP daemons running, and sets the nice value to 15, meaning that the processes run at a lower priority (a high nice value means the process is, well, “nice”, and gives way to less nice processes. For more info, check out http://ertw.com/~sean/news/Apr-26-2001.html)

Logging is also helpful:

log_on_success += DURATION

”+=” is a new one here. If you check the master xinetd.conf, you’ll see a default of…

log_on_success = HOST PID

…is there, meaning to log the connecting host, and the PID of the daemon. “+=” adds something to that, in this case, the duration of the connection.

Well, that’s xinetd in a nutshell. It’s got more features than I could write about this week, but the following man pages will help you out:

Configuration: xinetd.conf(5) xinetd itself: xinetd(8) hosts.allow/hosts.deny: hosts_access(5)

The number after the name directs you to the proper section, since some of the pages I gave you exist in multiple places, with the defaults usually being unhelpful to non-developers. For more information on how to use the man system:

http://ertw.com/~sean/news/Jul-26-2001.html

Again, don’t forget to restart xinetd after you make changes!

Long live the Penguin,

Sean mailto:swalberg@cramsession.com


2) Linux News


Name Calling Isn’t Working

“Microsoft believes many of its efforts to market its products against Linux and open source are backfiring, according to an internal memo leaked and posted on the Internet.” Seems they’re going to try to win on TCO now. What next? “We’ve got nicer packaging than Linux. Buy our stuff!”?

http://www.informationweek.com/story/IWK20021107S0004


Multiple Vulnerabilities in BIND 4 and 8

A few bugs have cropped up in BIND 4 and 8. Right now, it looks like various denial of service attacks, and one DNS poisoning attack. Not fun, so you’d better upgrade!

http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid!4 69


MySQL and NuSphere Settle

This concludes a long standing legal battle between these two companies over the GPL status of the NuSphere modifications and subsequent alleged misrepresentation.

http://www.mysql.com/press/release_2002_14.html


Solaris Desktop Initiatives

When I originally found this story, it was being billed as “Solaris to become LSB compliant”. However, it’s much more, as there are various news items about what SUN is doing on the desktop front, and how it relates to their Linux initiatives.

http://www.theregister.co.uk/content/4/28020.html


3) Linux Resources


Only 101?

Here’s a list of 101 things that Mozilla can do that IE can’t. For me, tabbed browsing tops the list, but the other 100 are handy to have, too.

http://www.xulplanet.com/ndeakin/arts/reasons.html


Miscellaneous Unix Tips

This page has some handy shell fragments that you can put in your system’s /etc/profile script so that it will apply to all users, and limit how many times, or from where your users log in. There is also some advice on building long commands.

http://www.unixreview.com/documents/st59/uni1037029674539/


Bugzilla. It’s Where the Bugs Are

Did you know that Red Hat’s bug database is publicly accessible? It’s a great place to find out about problems with the latest release. Since Red Hat support people answer the tickets, you’ll often find where to get the patches or instructions to fix your problems.

https://bugzilla.redhat.com/bugzilla/query.cgi


Please, Satisfy My Curiosity

With the creation of the new RHCT certification, I was interested in hearing if that was making people more likely to take a Red Hat certification exam. Will it? Take this poll and add your comments.

http://boards.cramsession.com/boards/vbm.asp?mf1949


4) App o’ the Week

This is a sick game. Basically it’s a 3D simulation of pushing someone down the stairs, with an emphasis on correct physics. It’s surprisingly addictive, it had half my office running it. It’s a Windows executable, but I’ve heard some reports of it running under WINE.

http://taat.fi/taat/porrasturvat/


(C) 2002 BrainBuzz.com, Inc. All Rights Reserved.


      This message is from CramSession

You are currently subscribed to the following list Hottest Linux News and Resources as: sean@ertw.com

To un-subscribe from this newsletter by e-mail, send a blank email message to: mailto:leave-linuxnews-3825955Y@list.cramsession.com

To subscribe to this newsletter and many others visit our site at: http://newsletters.cramsession.com/signup/default.asp