Your message dated Sun, 16 Jan 2005 12:17:02 -0500
with message-id <[EMAIL PROTECTED]>
and subject line Bug#256523: fixed in harden-doc 3.0.1.2
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 27 Jun 2004 16:48:12 +0000
>From [EMAIL PROTECTED] Sun Jun 27 09:48:12 2004
Return-path: <[EMAIL PROTECTED]>
Received: from adsl-66-72-39-38.dsl.bltnin.ameritech.net (laakshmi)
[66.72.39.38]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1BecpA-0005kp-00; Sun, 27 Jun 2004 09:48:12 -0700
Received: from aarre by laakshmi with local (Exim 3.36 #1 (Debian))
id 1Becoe-0003fn-00; Sun, 27 Jun 2004 11:47:40 -0500
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Aarre Laakso <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: harden-doc: Section on RPC needs clarification
X-Mailer: reportbug 2.61
Date: Sun, 27 Jun 2004 11:47:40 -0500
Message-Id: <[EMAIL PROTECTED]>
Sender: Aarre Laakso <[EMAIL PROTECTED]>
X-BadReturnPath: [EMAIL PROTECTED] rewritten as [EMAIL PROTECTED]
using "From" header
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-5.5 required=4.0 tests=BAYES_00,HAS_PACKAGE,
HTML_10_20,HTML_MESSAGE autolearn=no
version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
Package: harden-doc
Severity: minor
Tags: patch
Index: services.sgml
===================================================================
RCS file: /cvs/debian-doc/ddp/manuals.sgml/securing-howto/en/services.sgml,v
retrieving revision 1.1
diff -u -r1.1 services.sgml
--- services.sgml 4 Jun 2004 17:50:15 -0000 1.1
+++ services.sgml 27 Jun 2004 16:33:04 -0000
@@ -1306,7 +1306,7 @@
<sect>Disabling NIS
-<p>You should not use NIS, the Network Information Service, if it is
+<p>You should not use NIS, the Network Information Service, if
possible, because it allows password sharing. This can be highly
insecure if your setup is broken.
@@ -1314,13 +1314,11 @@
consider using other alternatives. For example, you can setup an LDAP
server and configure PAM on your system in order to contact the LDAP
server for user authentication. You can find a detailed setup in the
-<url
-name="LDAP-HOWTO" id="http://www.tldp.org/HOWTO/LDAP-HOWTO.html";>
+<url name="LDAP-HOWTO" id="http://www.tldp.org/HOWTO/LDAP-HOWTO.html";>
(<file>/usr/share/doc/HOWTO/en-txt/LDAP-HOWTO.txt.gz</file>).
-<p>Read more on NIS security in
-<url
-name="NIS-HOWTO" id="http://www.tldp.org/HOWTO/NIS-HOWTO.html";>
+<p>You can read more about NIS security in the
+<url name="NIS-HOWTO" id="http://www.tldp.org/HOWTO/NIS-HOWTO.html";>
(<file>/usr/share/doc/HOWTO/en-txt/NIS-HOWTO.txt.gz</file>).
@@ -1328,26 +1326,38 @@
<sect id="rpc">Disabling RPC services
-<p>You should disable RPC wherever possible, that is, when you do not need it.
-<footnote>
-You only probably need it if using NFS (Network File System), NIS
-(Network Information System) or some other RPC-based service.
-</footnote>
-Many security holes for both the portmapper service and RPC-based
-services are known and could easily be exploited. On the other hand NFS
-services are quite important in some networks, so find a balance of
-security and usability in your network. Some of the DDoS (distributed
-denial of service) attacks use rpc exploits to get into the system and
-act as a so called agent/handler. Read more on NFS security in
-<url
-name="NFS-HOWTO" id="http://www.tldp.org/HOWTO/NFS-HOWTO.html";>
-(<file>/usr/share/doc/HOWTO/en-txt/NFS-HOWTO.txt.gz</file>).
-
-<p>Disabling portmap is quite simple. There are different methods. The
-simplest one in a Debian 3.0 system is to uninstall the
-<package>portmap</package> package. If you are running another version
-you will have to disable the service as seen in <ref
-id="disableserv">, this is due to the program being a part of the
+<p>You should disable RPC if you do not need it.
+
+<p>Remote Procedure Call (RPC) is a protocol that programs can use to
+request services from other programs located on different computers.
+The <progn>portmap</progn> service controls RPC services by mapping
+RPC program numbers into DARPA protocol port numbers; it must be
+running in order to make RPC calls.
+
+<p>You only need RPC if you are using an RPC-based service. The most
+common RPC-based services are NFS (Network File System) and NIS
+(Network Information System). See the previous section for more
+information about NIS. The File Alteration Monitor (FAM) provided by the
+package <package>fam</package> is also an RPC service, and thus
+depends on <package>portmap</package>.
+
+NFS services are quite important in some networks. If that is the case
+for you, then you will need to find a balance of security and
+usability for your network. (You can read more about NFS security in
+the <url name="NFS-HOWTO"
+id="http://www.tldp.org/HOWTO/NFS-HOWTO.html";>
+(<file>/usr/share/doc/HOWTO/en-txt/NFS-HOWTO.txt.gz</file>).)
+
+<p>Many security holes for both the <progn>portmap</progn> service and
+RPC-based services themselves are known and could easily be exploited.
+Some of the DDoS (distributed denial of service) attacks use RPC
+exploits to get into the system and act as a so called agent/handler.
+
+<p>Disabling <progn>portmap</progn> is quite simple. There are several
+different methods. The simplest one in a Debian 3.0 system is to
+uninstall the <package>portmap</package> package. If you are running
+another version you will have to disable the service, as described in
+<ref id="disableserv">, because the program is part of the
<package>net-base</package> package (which cannot be de-installed
without breaking the system).
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.26-1-k6
Locale: LANG=POSIX, LC_CTYPE=POSIX (ignored: LC_ALL set to POSIX)
---------------------------------------
Received: (at 256523-close) by bugs.debian.org; 16 Jan 2005 17:23:14 +0000
>From [EMAIL PROTECTED] Sun Jan 16 09:23:06 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1CqE7G-0001Vp-00; Sun, 16 Jan 2005 09:23:06 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1CqE1O-0005qJ-00; Sun, 16 Jan 2005 12:17:02 -0500
From: Javier Fernandez-Sanguino Pen~a <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.55 $
Subject: Bug#256523: fixed in harden-doc 3.0.1.2
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Sun, 16 Jan 2005 12:17:02 -0500
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Source: harden-doc
Source-Version: 3.0.1.2
We believe that the bug you reported is fixed in the latest version of
harden-doc, which is due to be installed in the Debian FTP archive:
harden-doc_3.0.1.2.dsc
to pool/main/h/harden-doc/harden-doc_3.0.1.2.dsc
harden-doc_3.0.1.2.tar.gz
to pool/main/h/harden-doc/harden-doc_3.0.1.2.tar.gz
harden-doc_3.0.1.2_all.deb
to pool/main/h/harden-doc/harden-doc_3.0.1.2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Javier Fernandez-Sanguino Pen~a <[EMAIL PROTECTED]> (supplier of updated
harden-doc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Format: 1.7
Date: Sun, 16 Jan 2005 03:55:22 +0100
Source: harden-doc
Binary: harden-doc
Architecture: source all
Version: 3.0.1.2
Distribution: unstable
Urgency: low
Maintainer: Javier Fernandez-Sanguino Pen~a <[EMAIL PROTECTED]>
Changed-By: Javier Fernandez-Sanguino Pen~a <[EMAIL PROTECTED]>
Description:
harden-doc - Useful documentation to secure a Debian system
Closes: 256523 285664 287522
Changes:
harden-doc (3.0.1.2) unstable; urgency=low
.
* Updated from CVS, many changes including:
- Clarify comments on ro /usr (Closes: #287522)
- Clarification on RPC section (Closes: #256523)
* Fix doc-base script, removed postscript, text and PDF versions
since doc-base only handles HTML files at present. (Closes: #285664)
Files:
7a0e7c3da074c925a897ca5de96d9d16 704 doc extra harden-doc_3.0.1.2.dsc
413e3beb48927a94124a2fde265e1bea 1115705 doc extra harden-doc_3.0.1.2.tar.gz
323de85af50f720928d537cedf49e224 5599326 doc extra harden-doc_3.0.1.2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iQCVAwUBQeqFGPtEPvakNq0lAQGJHAP+MJYdJNMSA62OJ/H9VqKbuLC+rR7KWjUT
G+0cfa6/CXWrgA0sXuQltBkHhjQjZ3RhGM2vflgCzOXE958T05L7YAsi/g+TU4Cm
oe+cnM7PAI+bmVfoVEuq2ZGy8y/X5WWCHKUDjfvJx2j759wS6V0rvgiBhlZHh0mJ
4tNNDRsiyVI=
=9zhR
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
