Hi,
I recently sent a problem report to SuSE feedback and reported the second problem to the xinetd mailing list (I presume Mandrake have already reported #1), but haven't got a response from SuSE yet.
You've sent the mail on Tuesday, and I've seen it last night. The subject
was
Subject: [SuSE 7.0] Schwerer Bug (DOS) in xinetd-2.1.8.8p3-18.i386.rpm
and it was about the "enabled"-directive in /etc/xinetd.conf. I do not
consider this a DoS bug, and it is also not a "Schwerer Bug" (heavy bug),
so I decided to skip it for the weekend (Thursday was a holiday in Bavaria
and many other parts of Germany, and the following Friday is a good day to
be taken off). It's a bug, and nothing else. Nobody will keep you from
shooting yourself in the foot in a UN*X system, regardless if it is a
software bug or a problem between keyboard and chair.
The thing with the umask: I wonder why so many people start screaming at
this right now. xinetd has been doing this for ages now, and all of a
sudden everybody gets load about it. To me it seems that nobody has seen a
negative impact of this since basically all started daemons set their
umask on their own (which is the right thing to do), or a shell as a final
result from starting a service sets its umask in /etc/profile. And as
usual, if everybody starts publishing update packages, SuSE are expected
to do the same, without asking for a reason.
Linus has changed the default umask in the vfs layer of 2.4.4 because he's
right saying "no default policy in the kernel". I guess people were
alerted by this, and now they're looking into umask settings of other
parts of the system. In the meanwhile, he has accepted a patch that
reverts this change when /sbin/init is started at the end of the kernel
boot. In addition to a umask setting of 022 in /sbin/init, the default
kernel in SuSE-7.2 has the vfs change reverted to prevent any accidents
that can result from a umask of 0 (such as world-writeable files).
I guess with the two instead of one problem fixed, an update package is
justified. We will mention it in a section 2) of one of the next security
announcements, but, honestly, it's not really worth an own announcement.
And it is not marked "urgent", ok?
Thanks for the patch.
Thanks,
Roman.
--
- -
| Roman Drahtmüller