Roman Drahtmueller writes:
and it was about the "enabled"-directive in /etc/xinetd.conf. I do not consider this a DoS bug, and it is also not a "Schwerer Bug" (heavy bug), so I decided to skip it for the weekend (Thursday was a holiday in Bavaria and many other parts of Germany, and the following Friday is a good day to be taken off). It's a bug, and nothing else.
Yes, it jumps in your face the very moment you start thinking, "hey, why use default open when I can have default close, and let's use tcpd now."
The thing with the umask: I wonder why so many people start screaming at this right now. xinetd has been doing this for ages now, and all of a sudden everybody gets load about it. To me it seems that nobody has seen a negative impact of this since basically all started daemons set their umask on their own (which is the right thing to do), or a shell as a final result from starting a service sets its umask in /etc/profile.
Well, there are two reasons, and a patch. :-) The actual problem is that xinetd documentation doesn't mention that xinetd kills the umask. I'll report that separately to the xinetd mailing list again so they can fix their man page or their init.c or both. The Mandrake patch (it's the umask part of the patch I sent) changes the umask to 022, but removing the umask call from xinetd/init.c might also be a fix in the SuSE Linux environment, but I did not test that. You choose the one that fits. Either enforce 022 in xinetd or just have it inherit the umask.
I guess with the two instead of one problem fixed, an update package is justified. We will mention it in a section 2) of one of the next security announcements, but, honestly, it's not really worth an own announcement. And it is not marked "urgent", ok?
Of course. Thanks a lot. Please credit Mandrake as well. Also, since my subscription to xinetd was lost, I'm not sure if I was the first one to fix the "tcpd loops" bug. -- Matthias Andree