Bug 42109 - Remove time protocol / service / ports
Remove time protocol / service / ports
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: General
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.2
Assigned To: Arvid Requate
Janek Walkenhorst
: interim-3
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-08-24 15:56 CEST by Michael Grandjean
Modified: 2017-04-04 18:28 CEST (History)
2 users (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): External feedback, Security
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Grandjean univentionstaff 2016-08-24 15:56:10 CEST
UCS 4.1 still offers "time" on port 37, started via inetd:

> tcp        0      0 0.0.0.0:37              0.0.0.0:*               LISTEN      3928/inetd
> tcp6       0      0 :::37                   :::*                    LISTEN      3928/inetd

AFAIK "time" is an archaic protocol and has been superseded by ntp (port 137). We should disable the service and close the ports in univention-firewall.
Comment 1 Michael Grandjean univentionstaff 2016-11-09 20:29:57 CET
Workaround: update-inetd --remove time
Comment 2 Philipp Hahn univentionstaff 2017-02-22 12:25:26 CET
# grep -n -A1 -B1 inetd /var/lib/dpkg/info/univention-role-server-common.postinst
33-if [ "$1" = "configure" ] && dpkg --compare-versions "$2" lt 7.0.15-2; then
34:     update-inetd --remove time
35:     echo "time            stream  tcp4     nowait  root    internal" >> /etc/inetd.conf
36:     echo "time            stream  tcp6     nowait  root    internal" >> /etc/inetd.conf
37:     invoke-rc.d openbsd-inetd restart
38-fi

We simply should remove it and the firewall rule - it was explicitly added by Bug #15782 in UCS-2.3
Comment 3 Arvid Requate univentionstaff 2017-03-09 15:58:46 CET
Ok, the current "echo" code was introduced via Bug 25456 (ipv6).

Current firewall rules are from Bug 23577.

All of this is removed.

During updates univention-base-files.postinst unsets security/packetfilter/package/univention-base-files/tcp/37/all if it is still set to the default value of ACCEPT.


Package: univention-server
Version: 12.0.0-9A~4.2.0.201703091537
Branch: ucs_4.2-0

Package: univention-base-files
Version: 6.0.0-9A~4.2.0.201703091554
Branch: ucs_4.2-0

Changelog adjusted.
Comment 4 Janek Walkenhorst univentionstaff 2017-03-10 16:53:52 CET
(In reply to Arvid Requate from comment #3)
> Ok, the current "echo" code was introduced via Bug 25456 (ipv6).
> 
> Current firewall rules are from Bug 23577.
> 
> All of this is removed.
OK

> During updates univention-base-files.postinst unsets
> security/packetfilter/package/univention-base-files/tcp/37/all if it is
> still set to the default value of ACCEPT.
OK

> Package: univention-server
> Version: 12.0.0-9A~4.2.0.201703091537
> Branch: ucs_4.2-0
OK

> Package: univention-base-files
> Version: 6.0.0-9A~4.2.0.201703091554
> Branch: ucs_4.2-0
OK

> Changelog adjusted.
OK
Comment 5 Stefan Gohmann univentionstaff 2017-04-04 18:28:44 CEST
UCS 4.2 has been released:
 https://docs.software-univention.de/release-notes-4.2-0-en.html
 https://docs.software-univention.de/release-notes-4.2-0-de.html

If this error occurs again, please use "Clone This Bug".