Kev Buckley wrote:
If LFS is going to be *secure*, then personally I hope you guys get
rid of most of the inetutils clients
Well, we already remove the servers, so by removing the clients we may
as well just remove the entire package :) Seriously though, secure
versions for most of those clients are available:
ftp (FHS-3.4.3) -> sftp
ping (FHS-3.4.3) -> ???
rcp -> scp
rlogin -> ???
rsh -> ssh
talk (POSIX) -> ???
telnet -> ssh
tftp (FHS-3.4.3) -> sftp
As you can see, the FHS only stipulates that ftp and tftp should be on a
system when "restoration of a system is planned through the network".
'ping' is a tough one though. The FHS says it should be in '/bin' "if
the corresponding subsystem is installed". I assume in this example,
the corresponding subsystem would be networking, right? The LSB doesn't
mention any of the binaries in
http://refspecs.freestandards.org/LSB_3.0.0/LSB-Core-generic/LSB-Core-generic/command.html#TBL-CMDS
either. The POSIX SuSV3 standard lists 'talk' as optional, and doesn't
mention the other utilities at all.
Whilst researching this was quite enlightening, I think that such system
hardening really does fall into "your distro, your rules". Clients such
as ftp and telnet are still largely useful, and therefore I think it
should be up to each sysadmin to determine whether they definitely do
not require the functionality they provide.
Regards,
Matt.
--
http://linuxfromscratch.org/mailman/listinfo/lfs-dev
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page
