Brian Cameron wrote: > Moinak: > > I suspect many of these ports are related to how ORBit2 is set up on > your system. You probably have an /etc/orbitrc file with these lines: > > ORBIIOPIPv4=1 > ORBLocalOnly=1 > > This turns on IPv4 mode, so the ports are open, but turns on LocalOnly > mode so that any connection requests from non-local machines are > rejected.
Thanks for the clarification. > > This is turned on by default so that Java programs work with > accessibility by default. Unfortunately Java doesn't support using > a sockets connection for local-only ORBit requests (the technique > used by GTK+ programs), and it only supports using connections over IP. There was a similar issue for SMC which is written in Java. The solution used was to bind the server's listening socket only to localhost (127.0.0.1) and use localhost as the hostname for local-only mode. > > If you don't use accessibility, then you can remove your /etc/orbitrc > file and the ports should go away. For users who want to tighten > security and who don't use Java accessibility, this might be a good > option. Smells like a good candidate to move into SMF, though I am not sure which service manifest will be suitable to hold this info. Maybe it will be interesting to create an SMF manifest, without any associated daemon just to hold desktop-specific properties. Regards, Moinak. > > Brian > > >> Just out of curiosity I ran this on my home PC while logged into JDS: >> >> netstat -an | grep LISTEN >> >> and was greeted with output that contained the following snippet: >> >> ... >> *.64093 *.* 0 0 49152 0 >> LISTEN >> *.33972 *.* 0 0 49152 0 >> LISTEN >> *.56981 *.* 0 0 49152 0 >> LISTEN >> *.49856 *.* 0 0 49152 0 >> LISTEN >> *.39114 *.* 0 0 49152 0 >> LISTEN >> *.54098 *.* 0 0 49152 0 >> LISTEN >> *.36067 *.* 0 0 49152 0 >> LISTEN >> *.53776 *.* 0 0 49152 0 >> LISTEN >> *.58907 *.* 0 0 49152 0 >> LISTEN >> *.33261 *.* 0 0 49152 0 >> LISTEN >> *.36926 *.* 0 0 49152 0 >> LISTEN >> *.55694 *.* 0 0 49152 0 >> LISTEN >> *.53715 *.* 0 0 49152 0 >> LISTEN >> *.59572 *.* 0 0 49152 0 >> LISTEN >> *.62834 *.* 0 0 49152 0 >> LISTEN >> *.52235 *.* 0 0 49152 0 >> LISTEN >> *.61644 *.* 0 0 49152 0 >> LISTEN >> *.41538 *.* 0 0 49152 0 >> LISTEN >> ... >> >> Lotsa ephemeral open ports listening on all interfaces! After a >> little scripting around pfiles >> this is what I get: >> >> ... >> sockname: AF_INET 0.0.0.0 port: 64093 >> moinakg 575 1 0 19:37:27 ? 0:01 /usr/lib/gconfd-2 13 >> sockname: AF_INET 0.0.0.0 port: 36067 >> moinakg 600 1 0 19:37:30 ? 0:01 gnome-panel >> --sm-client-id default1 >> sockname: AF_INET 0.0.0.0 port: 54098 >> moinakg 597 1 1 19:37:29 ? 0:05 /usr/bin/metacity >> --sm-client-id=default0 >> sockname: AF_INET 0.0.0.0 port: 39114 >> moinakg 589 1 0 19:37:28 ? 0:00 >> /usr/lib/gnome-settings-daemon >> sockname: AF_INET 0.0.0.0 port: 53776 >> moinakg 602 1 0 19:37:30 ? 0:01 nautilus >> --no-default-window --sm-client-id default2 >> sockname: AF_INET 0.0.0.0 port: 36926 >> moinakg 604 1 0 19:37:30 ? 0:00 >> /usr/lib/bonobo-activation-server --ac-activate --ior-output-fd=19 >> sockname: AF_INET 0.0.0.0 port: 55694 >> moinakg 615 1 0 19:37:32 ? 0:04 >> /usr/lib/wnck-applet --oaf-activate-iid=OAFIID:GNOME_Wncklet_Factory >> --oaf-ior- >> sockname: AF_INET 0.0.0.0 port: 33261 >> moinakg 611 1 0 19:37:30 ? 0:00 >> /usr/lib/gnome-volume-manager --sm-disable >> sockname: AF_INET 0.0.0.0 port: 58907 >> moinakg 610 1 0 19:37:30 ? 0:00 >> /usr/lib/gnome-vfs-daemon >> sockname: AF_INET 0.0.0.0 port: 62834 >> moinakg 625 1 0 19:37:32 ? 0:00 >> /usr/lib/trashapplet >> --oaf-activate-iid=OAFIID:GNOME_Panel_TrashApplet_Factory >> sockname: AF_INET 0.0.0.0 port: 52235 >> sockname: AF_INET 0.0.0.0 port: 0 >> moinakg 617 1 0 19:37:32 ? 0:03 >> /usr/lib/gnome-netstatus-applet >> --oaf-activate-iid=OAFIID:GNOME_NetstatusApplet >> sockname: AF_INET 0.0.0.0 port: 61644 >> moinakg 619 1 0 19:37:32 ? 0:03 >> /usr/lib/mixer_applet2 >> --oaf-activate-iid=OAFIID:GNOME_MixerApplet_Factory --oa >> sockname: AF_INET 0.0.0.0 port: 53715 >> moinakg 621 1 0 19:37:32 ? 0:01 >> /usr/lib/clock-applet >> --oaf-activate-iid=OAFIID:GNOME_ClockApplet_Factory --oaf >> sockname: AF_INET 0.0.0.0 port: 59572 >> moinakg 623 1 0 19:37:32 ? 0:00 >> /usr/lib/notification-area-applet >> --oaf-activate-iid=OAFIID:GNOME_NotificationA >> ... >> >> All the GNOME applets are listening on open ports. I wonder what >> could be the purpose. >> But this appears to undermine the Secure By Default requirement of >> not listening by default >> on the external interface. >> >> Regards, >> Moinak. >> >> _______________________________________________ >> desktop-discuss mailing list >> desktop-discuss at opensolaris.org >
