This is the mail archive of the
cygwin-apps
mailing list for the Cygwin project.
[ITA] inetutils-1.5-1
- From: Charles Wilson <cygwin at cwilson dot fastmail dot fm>
- To: Mailing List: CygWin-Apps <cygwin-apps at cygwin dot com>
- Date: Sun, 24 Feb 2008 22:07:31 -0500
- Subject: [ITA] inetutils-1.5-1
As suggested by Corinna here:
http://cygwin.com/ml/cygwin-apps/2008-02/msg00097.html
I won't update inetutils anymore, except for tiny fixes and packaging
stuff. Actually I'd rather OBSOLETE it entirely. syslogd is replaced
by syslog-ng and all other tools in inetutils are security holes all in
itself. Barring that, I could create a new inetutils package which
doesn't install logger. Logger has not even a single Cygwin specific
patch in it.
So, here's the choice:
1. Remove logger from inetutils.
2. Remove inetutils from the distro.
3. Another maintainer creates a new inetutils package using the latest
upstream sources.
I'm tossing my hat in for #3. It's basically a new port, using the
previous patches (1.3.2-37 vs. upstream 1.3.2) as a guide, because none
of the patches seemed to apply cleanly, and there were other issues as well.
Actually, I /agree/ with Corinna that none of these tools (with the
possible exception of inetd itself, and syslogd [1]) should be used in a
security-conscious installation. However, we live in the real world,
and telnet/rsh are not going away...and if cygwin lacks these tools, it
will be viewed as a bug, not a feature.
[1] which can be replaced by xinetd (although that is unmaintained) and
syslog-ng
http://cygwin.cwilson.fastmail.fm/ITP/inetutils-1.5-1.tar.bz2
http://cygwin.cwilson.fastmail.fm/ITP/inetutils-1.5-1-src.tar.bz2
However, I'm running in to a little snag with regards to setup.ini!
Somehow, I'm tickling a bug in setup.exe (no, I don't think it's the
corrupted .lst.gz problem) and setup crashes when it tries to parse an
ini file that contains the inetutils info from my setup.hint. So, until
I figure out why THAT is happening, I'm not ready to actually upload
these packages. I'll post another message about this issue.
But that shouldn't stop you from d/l them, checking out the packaging,
maybe testing individual .exe's, etc. When I /do/ upload these, they
will be in test: for a good long while...
Changes with regards to 1.3.2-37:
(1) inetd now accepts multiple configuration files (or directories)
which will be searched. To accomodate this when running as a service
"under its own power", I'm using a registry key "ConfigPaths" instead of
"ConfigPath" -- the new key is a REG_MULTI_SZ instead of a REG_SZ, so
there are new routines to (safely, I hope) convert between this format
and the new inetd's char** config_files. By default, inetd uses
/etc/inetd.conf
/etc/inetd.d/
(2) The inetutils package no longer installs the server programs
as `in.rlogind' and similar. Instead they are are installed as
`rlogind'. If you have an existing /etc/inetd.conf file (or
./etc/xinetd.conf) you should manually update these references.
(3) Added a new option to inetd: -T/--traditional-daemon, which does the
regular fork/daemonize behavior. This is used with the (also provided)
sysvinit-style startup script, so that inetd can be run under the
control of the sysvinit package's init daemon. So now, there are THREE
ways to run inetd as a service:
a) install as a service using cygrunsrv (with the -D option)
b) installed as a service under its own power
c) as a slave to the init service, using /etc/rc.d/init.d/inetd (which
uses the -T option when invoking inetd)
(4) There's also a little test program for the built-in services,
provided as source code in /usr/share/doc/inetutils-*/. You can easily
test TCP services using:
telnet <host> <port>
but there's no easy way to test UDP services. udp_client can be used to
do this:
udp_client <host> <port or service name> "some data to send"
For instance, the UDP echo service can be tested using:
$ udp_client localhost echo "hello"
Received from localhost: 'hello'.
$
Anyway, here's the setup.hint (which is causing such problems):
sdesc: "Common networking clients and servers"
ldesc: "inetutils provides common networking clients and
servers, including the inetd super-server, telnetd and
telnet, ftpd and ftp, rshd and rsh, rlogind and rlogin,
talkd and talk, tftpd and tftp, rexecd (but no rexec),
uucpd (but no uucp client), rcp, and syslogd.
Most of these utilities are security nightmares, dating
from a time when the internet was a more innocent place.
It is NOT recommended that you enable or use ANY of these
utilities -- except inetd and syslogd -- unless you have
a VERY good reason. Please consider using ssh and sshd
from the 'openssh' package instead of telnet and the r*
tools"
category: Net
requires: cygwin terminfo
curr: 1.3.2-37
test: 1.5-1
--
Chuck
inetutils
===========================================================
Common networking clients and servers, including the inetd
super-server, telnetd and telnet, ftpd and ftp, rshd and
rsh, rlogind and rlogin, talkd and talk, tftpd and tftp,
rexecd (but no rexec), uucpd (but no uucp client), rcp,
and syslogd.
Most of these utilities are security nightmares, dating
from a time when the internet was a more innocent place.
It is NOT recommended that you enable or use ANY of these
utilities -- except inetd and syslogd -- unless you have
a VERY good reason [1].
For telnet, rlogin, rsh, rexec, rcp, and the associated servers
the cygwin 'openssh' package provides a full replacement that
is secure.
The ftp protocol is fundamentally flawed, but if you must
use it, the cygwin 'proftpd' is a more modern and "secure"
replacement for the server. ncftp, lftp, curl, and a
a myriad of other cygwin packages may satisfy your needs
for an ftp client.
Does anybody use talk anymore, in these days of IRC and IM?
uucp is all-but-dead, having been formally shut down in 2000:
http://en.wikipedia.org/wiki/UUCP#Decline
tftp is an atrocious, repulsive security horror freak show, with
ZERO authentication. Fortunately it is only used in specialized
situations (primarily these days in development of embedded
software via direct connections or protected local networks).
This port supports only downloads from server to client; the unix-
derived code in inetutils supports uploads only in wide-open
security regimes that are not even possible to recreate within
cygwin.
Concerning inetd and syslogd, more modern, secure, and flexible
replacements are available from the cygwin packages 'xinetd' and
'syslog-ng'.
So why is this package present? Because as insecure and flawed
as they are, the telnet, ftp, and r* tools, servers, and
protocols are still in wide use, and their conspicuous absence
would be viewed as a flaw, not a feature.
[1] and even then, employ firewall protection and the
tcpd tool from the tcp_wrappers package: see
/etc/defaults/etc/inetd.conf for more information.
===========================================================
Runtime requirements (these, or newer)
cygwin-1.5.25-7
terminfo-5.5_20061104-1
Build requirements
cygwin-1.5.25-7
terminfo-5.5_20061104-1
libncurses-devel-5.5-3
crypt-1.1-1
gcc-3.4.4-3
binutils-20060817-1
cygport-3.8-1
minires-devel-1.01
bison-2.3-1
autoconf
autoconf2.5
automake
automake1.10
Canonical homepage:
http://www.gnu.org/software/inetutils/
Canonical download:
http://ftp.gnu.org/gnu/inetutils/
License:
GPL v3
Language:
C
===========================================================
Build instructions:
unpack inetutils-1.5-X-src.tar.bz2
if you use setup to install this src package, it will be unpacked
under /usr/src automatically
cd /usr/src
cygport ./inetutils-1.5-X.cygport all
This will create:
/usr/src/inetutils-1.5-X-src.tar.bz2
/usr/src/inetutils-1.5-X.tar.bz2
===========================================================
Files included in inetutils-1.5-X:
see 'cygcheck -l inetutils' output or browse the listing
for the appropriate version at http://cygwin.com/packages/.
===========================================================
Port Notes:
Be sure to read /usr/share/doc/inetutils-1.5/inetutils.OLD-README
Eventually the relevant information will be moved to this file,
but for now, be SURE to read that one...
One big change from inetutils-1.3.x to inetutils-1.5 is that
multiple configuration files (and entire directories) can
be specified. By default, inetd will use
/etc/inetd.conf
/etc/inetd.d/
Also, the inetutils package no longer installs the server programs
as `in.rlogind' and similar. Instead they are are installed as
`rlogind'. If you have an existing /etc/inetd.conf file (or
./etc/xinetd.conf) you should manually update these references.
-------------------- inetd --------------------
There are three ways to install the inetd super-server:
(1) as a Windows NT service via cygrunsrv:
cygrunsrv -I inetd -d "CYGWIN inetd" -p /usr/sbin/inetd -a -D
where the '-D' option means "do not fork and do not use
registry entries to control inetd's behavior". You can
specify additional arguments with more '-a <>' options,
such as to use custom .conf files and configuration
directories (otherwise, it will use /etc/inetd.conf and
the contents of /etc/inetd.d/).
In this case, the service can be started and stopped via:
cygrunsrv -S inetd
cygrunsrv -E inetd
To remove the server:
cygrunsrv -R inetd
(2) as a Windows NT service on its own:
/usr/sbin/inetd --install-as-service
It can then be started and stopped via
net start inetd
net stop inetd
The daemon will access the registry to determine which
configuration files to use. To specify these values,
include them as arguments in the initial installation:
/usr/sbin/inetd --install-as-service /my/conf1 /my/confdir
To remove the service, use:
/usr/sbin/inetd --remove-as-service
(3) As a slave of the init service. To do this, use the cygwin
setup program to download and install the following packages:
sysvinit
chkconfig
initscripts
psmisc
Follow the directions in the various README files associated
which those packages, to get the init daemon installed as
a service and running properly. Then:
/usr/sbin/chkconfig --add inetd
and restart the init service:
net stop init
net start init
In this configuration, inetd will always use the configuration
files /etc/inetd.conf and /etc/inetd.d/ (unless you edit
/etc/rc.d/init.d/inetd. But if you're going to edit files,
why not just edit the configuration files themselves?
To disable the inetd service in this mode:
/usr/sbin/chkconfig inetd off
/etc/rc.d/init.d/inetd stop
Alternatively:
/usr/sbin/chkconfig inetd off
/usr/sbin/telinit 1
/usr/sbin/telinit 3
The default configuration enables the built-in services (see below)
as well as:
ftp
telnet
shell (rsh, rcp)
login (rlogin)
exec (rexec)
talk
ntalk
where each server runs as the root (SYSTEM) user, with no access
restrictions. Think VERY hard before enabling the inetd super-
server with the default configuration.
At minimum, you should install the tcp_wrappers package, and
change the non-builtin service configurations (for example):
BAD: telnet stream tcp nowait root /usr/sbin/telnetd telnetd
BETTER: telnet stream tcp nowait root /usr/sbin/tcpd telnetd
BEST: #telnet don't care, use sshd instead
with appropriate access restrictions in /etc/hosts.allow and
/etc/hosts.deny (see `man -s 5 hosts_access')
inetd built-in servers:
(1) echo tcp - try: telnet localhost echo
echo udp - try: udp_client localhost echo "blah blah blah"
(2) chargen tcp - try: telnet localhost chargen
chargen udp - try: udp_client localhost chargen "blah blah blah"
(3) discard tcp - try: telnet localhost discard
discard udp - try: udp_client localhost discard "blah blah blah"
(4) time tcp - try: telnet localhost time
time udp - try: udp_client localhost time
(5) daytime tcp - try: telnet localhost daytime
daytime udp - try: udp_client localhost daytime
udp_client is a simple program whose source is in
/usr/share/doc/inetutils-x.y.z/
Note that the default inetd.conf file enables all five of these
built-in services. inetd does not perform any access restriction
on these services, so unless these ports are blocked by a
(hardware or software) firewall, this could expose you to a DoS
attack, especially in the case of the chargen service. The echo
service is also vulnerable to a ping-pong attack.
You should probably turn off (comment out) all five of these
services. The first three services (echo, chargen, and discard)
were never anything more than tools for debugging network
connections -- which nowadays is done using ping, traceroute,
and the ICMP protocol (not TCP or UDP). The other two (time
and daytime) have a better replacement in the ntp protocol
and related servers and clients. While the cygwin distribution
does not at present provide ntp tools, MS Windows has supported
the ntp client protocol natively since XP -- although they
call it "Internet Time", which actually means something entirely
different:
http://www.ntp.org/
http://www.timeanddate.com/time/internettime.html
-------------------- syslogd --------------------
syslogd is a daemon that monitors all messages written
using the unix 'syslog' interface, and writes those messages
to various files. Depending on the configuration specified
in /etc/syslog.conf, messages can be written to multiple
files, ignored, written to a pipe or console, etc. The
default configuration logs absolutely everything to a
single file, /var/log/messages.
To install the syslogd logging daemon as a service,
run the syslogd-config script. Then:
cygrunsrv -S syslogd
to start the daemon. To stop it:
cygrunsrv -E syslogd
Note that you must not install both syslogd and
syslog-ng at the same time; fortunately, the two
installation scripts (syslogd-config and syslog-ng-config)
will ensure that only one is installed at a time.
syslogd's behavior is controlled by /etc/syslog.conf.
See `man syslog.conf' for more information.
Also, note that there is only ONE way to run syslogd
as a service: it does not have a sysvinit startup script,
nor can it install itself as a service without the
assistance of cygrunsrv.
syslogd configuration can be somewhat tricky, and the
format of the file (`man -s 5 syslog.conf`) is notoriously
finicky. Be sure to use TABs, not SPACEs as separators,
and consider using syslog-ng instead, whose configuration
is both modular, uses a sane syntax, and more forgiving.
---------- inetutils-1.5-1 -- 21 Feb 2007 -----------
* Update to current release
* Based on 1.3.2-37 port, by Corinna Vinschen -- which was
itself based on Sergey Okhapkin's original port to cygwin.
* Use cygport build framework
* Added startup script for use with sysvinit package if desired
* Added new command line option -T/--traditional-daemon for
use with sysvinit-style control of inetd.
* New maintainer
Cygwin port maintained by: Charles Wilson <cygwin@cygwin.com>