Полезная информация

Caldera

 

Caldera OpenLinux 2.2

Caldera has a graphical installation for 2.2 called "lizard", with a number of nice features. During the installation it will force you to create a user account, hopefully this will encourage people to not constantly log in as root. As well there is an entry for "sulogin" in the /etc/inittab file, meaning you can't just type "linux single" at the lilo boot prompt and get dumped to a command prompt as root, you must first enter root's password. There are however several problems with the default installation that you will need to correct.

inetd.conf

The file /etc/inetd.conf which controls various Internet related services has many older, and dangerous services turned on:

echo	stream	tcp	nowait	root	internal
echo	dgram	udp	wait	root	internal
discard	stream	tcp	nowait	root	internal
discard	dgram	udp	wait	root	internal
daytime	stream	tcp	nowait	root	internal
daytime	dgram	udp	wait	root	internal
chargen	stream	tcp	nowait	root	internal
chargen	dgram	udp	wait	root	internal
gopher	stream	tcp	nowait	root	/usr/sbin/tcpd gn
shell	stream	tcp	nowait	root	/usr/sbin/tcpd in.rshd
login	stream	tcp	nowait	root	/usr/sbin/tcpd in.rlogind
exec	stream	tcp	nowait	root	/usr/sbin/tcpd in.rexecd
talk	dgram	udp	wait	nobody.tty	/usr/sbin/tcpd in.talkd
ntalk	dgram	udp	wait	nobody.tty	/usr/sbin/tcpd in.ntalkd
uucp	stream	tcp	nowait	uucp	/usr/sbin/tcpd /usr/sbin/uucico -l

These should all be commented out (place a "#" at the beginning of the line), and restart inetd with "killall -1 inetd".

portmap

One service many people will want turn off is portmap, it is used for a variety of services, such as nfs, and has had a history of problems. Turning it off in OpenLinux is a bit of a pain however since it is started from the same script that initializes inetd. You can either remove the portmap package ("rpm -e portmap") or you can go into /etc/rc.d/init.d/inet and edit the following:

NAME1=inetd
DAEMON1=/usr/sbin/$NAME1
NAME2=rpc.portmap
DAEMON2=/usr/sbin/$NAME2

to :

NAME1=inetd
DAEMON1=/usr/sbin/$NAME1
#NAME2=rpc.portmap
#DAEMON2=/usr/sbin/$NAME2

and:

# Bail out if neither is present
[ -x $DAEMON1 ] || [ -x $DAEMON2 ] || exit 2

to:

# Bail out if neither is present
[ -x $DAEMON1 ] || exit 2

and:

[ -x $DAEMON1 ] && ssd -S -n $NAME1 -x $DAEMON1 -- $INETD_OPTIONS
[ -x $DAEMON2 ] && ssd -S -n $NAME2 -x $DAEMON2 -- $PORTMAP_OPTIONS

to:

[ -x $DAEMON1 ] && ssd -S -n $NAME1 -x $DAEMON1 -- $INETD_OPTIONS
# [ -x $DAEMON2 ] && ssd -S -n $NAME2 -x $DAEMON2 -- $PORTMAP_OPTIONS

and then comment out this entirely:

NFS=""
cat /etc/mtab | while read dev mpoint type foo; do
[ "$type" = "nfs" ] && NFS="$mpoint $NFS"
done
if [ -n "$NFS" ]; then
echo -n "Unmounting NFS filesystems: "
POLICY=I # Ignore 'device busy' during shutdown
[ "$PROBABLY" != "halting" ] && POLICY=1 # exit on 'busy'
for mpoint in $NFS; do
SVIrun S $POLICY "$mpoint" "!$mpoint" \
umount $mpoint
done
echo "."
fi
amd

Another service installed by default in OpenLinux 2.2 is the Auto Mount Daemon (amd). It allows you to define directories and devices of nfs locations, so I can define /auto/cdrom as being /dev/cdrom, so when you "cd /auto/cdrom" the system automatically mounts /dev/cdrom as /auto/cdrom with the appropriate options (read-only, etc.). The amd service uses a semi-random port number, usually in the 600-800 range. This service is definitely very useful on a workstation, it saves the users from having to manually mount every removable media device they wish to use (cdrom and floppy being the most common). However I would not recommend on machines running as servers due to a history of problems amd has had. Turning off amd is easy, simply move the symlinks from "S30amd" to "K70amd".

mv /etc/rc.d/rc3.d/S30amd /etc/rc.d/rc3.d/K70amd 
mv /etc/rc.d/rc5.d/S30amd /etc/rc.d/rc5.d/K70amd 
SSH

SSH rpm's are not available for OpenLinux 2.2 (that is to say I have not found any). The SSH rpm's for Red Hat systems fail miserably, and the source rpm's also fail to compile, SSH does compile cleanly from source code, with no problems. You can get the SSH source code from: ftp://ftp.replay.com/pub/replay/crypto/SSH/. To start sshd you need to minimally run "/usr/local/bin/sshd" at boot time from a script, it will look for it's config files in /etc, and should start ok. 

Novell 

Haven't tested the Novell software yet, unknown if there are any issues.

Updates

Updates for Caldera OpenLinux 2.2 are available from: ftp://ftp.calderasystems.com/pub/openlinux/2.2/current/RPMS/.

Back

Security Portal

Written by Kurt Seifried