From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from felloff.net ([199.191.58.38]) by pp; Thu May 21 05:18:43 EDT 2015
Message-ID: <85f8a75eea83641e8420c503a03795cb@felloff.net>
List-ID: <9front.9front.org>
X-Glyph: ➈
X-Bullshit: basic distributed persistence SOAP over TOR realtime-java DOM control
Date: Thu, 21 May 2015 11:18:27 +0200
From: cinap_lenrek@felloff.net
To: 9front@9front.org
Subject: Re: [9front] proposal: disable most of /rc/bin/services/tcp* by default
In-Reply-To: <9501acf0d1f59f958a12fcb0aaba3371@u2.sfldmibb.det.wayport.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit

I was not suggesting to not remove these standard services in the default
configuration. I wanted to understand what the [security] gain is here,
and if removing these service scripts wouldnt make things worse.

This is a cpu server, there will be at least *one* service listening (cpu).
If your intend is to waste system resources, then you can as well use the
cpu service for that, it makes no difference what port you use.

I know that disabling services is common wisdom, but this is not unix.

Then theres another aspect thats different from unix:

There are no priviledged ports. Any user can listen on any port as long
as it is not in use already. Say, none starting to listen on dns/tcp port
because someone forgot to rename the listener for that after setting up
dns service. This can have consequences far worse as it could then poison
dns caches and redirect all traffic to some other machine.

--
cinap