On Oct 22, 2016, at 3:23 PM, K. Fossil user <ticketpersonnal-fos...@yahoo.fr> wrote: > > 1/ As I've stated in the past according to people I do know, for security > reason, inetd/xinetd is not recommended.
I just did a search for inetd at the NVD CVE search, and got nothing relevant to running Fossil under inetd: https://web.nvd.nist.gov/view/vuln/search-results?query=inetd&search_type=all&cves=on The only serious problems still extant in that search result are: 1. Stock inetd doesn’t do rate limiting and such, but xinetd does, so in that sense, the problem is fixed. 2. Some implementations of inetd do their own naive logging and could thus fill the system disk. Again, the solution is to use xinetd, which defaults to syslogd, which is generally protected against that problem. So, what security issue are you talking about? Perhaps you have misunderstood your advisors, who are really saying that you shouldn’t be using in.telnetd and such any more, which are merely *associated* with inetd, but which are not inetd themselves. > 2/ Xinetd is old (four years ?) so may be not secure. Older software is often more secure than newer software, not less, being well-tested and well-understood. The number of bugs in a software system is a loose function of the number of lines of code in that system, and of the lifetime of each line of code. Therefore, an old, stable system with 5 kSLOC will typically have far less than half the number of bugs than a new 10 kSLOC system. The only common exception is this recent trend of replacing old, bloated software that grew organically over decades with well-focused fresh alternatives. (e.g. BIND vs nsd/unbound, LibreSSL vs OpenSSL, Postfix vs Sendmail, etc.) xinetd is not a good example of such a system. The only other common alternatives to xinetd (launchd and systemd) are even worse examples. I am not saying that xinetd is less secure than inetd. (It may be; I just don’t know, one way or the other.) I am just telling you that the age of the software is a poor gauge to its security. > 3/ And this info should definitely helps : > rc or inetd? What should I use? | The FreeBSD Forums > > « Modern FreeBSD installations run separate daemons for almost every service > nowadays, and inetd is all but deprecated. It's probably only around for > historical/compatibility reasons. Starting services from /etc/rc.conf is the > modern FreeBSD way. » I read that whole forum thread, and nothing in there talks about the security of running a service like Fossil under [x]inetd. The responses just tell the original poster of that thread that *he* probably doesn’t need it. Different situations get different answers. _______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
