On Tue, Oct 21, 2008 at 02:57:02AM -0700, Tony Nguyen wrote:
> > usr/src/cmd/ssh/etc/sshd:
> >
> > create_ipf_rules() is too simple. Multiple Port entries are
> > allowed in sshd_config, and they can also be specified in
> > ListenAddress entries.
>
> You're quite right, multiple port entries should be supported.
>
> On the other hand, I'd like to defer ListenAddress support for a future
> rfe since most users don't modify ListenAddress entries. Is that reasonable?
Sounds OK to me.
> > Slightly uncomfortable just sleeping for one second without
> > rechecking.
>
> Yes, I don't like the wait myself. However, in my testing, 1 second is
> sufficient so if mountd hasn't come up then there maybe a problem. In
> the case that mountd didn't start, the /usr/lib/servinfo will not return
> any port so we simply don't generate any rules for mountd.
Fair enough. Presumably SMF will restart the service in the case that
mountd failed anyway.
> > usr/src/cmd/ipf/svc/ipfd.c
> >
> > Lines 537-543: That looks like a syslog entry that hasn't been
> > finished. Is this just going to write "fmri: svc://network/rpc/bind"
> > or whatever to a logfile? Won't that be confusing? Why not just
> > do nothing?
>
> Yes, it can be removed but may serve some debugging purposes. How about
> something like:
>
> /*
> * Service, instance, or pg deleted.
> */
> syslog(LOG_DEBUG | LOG_DAEMON, "Deleted: %s", fmri);
Both the comment and the log entry give the impression that ipfd deleted it.
I think you'd probably want to avoid that.
Cheers,
Ceri
--
That must be wonderful! I don't understand it at all.
-- Moliere
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL:
<http://mail.opensolaris.org/pipermail/security-discuss/attachments/20081021/727a408d/attachment.bin>
