Re: CDE Without ToolTalk?

From: Jon DeShirley (jond@csds.uidaho.edu)
Date: 09/08/02


Date: Sun, 8 Sep 2002 14:27:27 -0700 (PDT)
From: Jon DeShirley <jond@csds.uidaho.edu>
To: cjclark@alum.mit.edu

On Thu, 5 Sep 2002, Crist J. Clark wrote:

> But the admins really don't like that since it breaks CDE. I don't
> like being stuck at the console prompt with one shell either. I
> wouldn't think it would be a lot to ask to just have a windowing
> environment so we can have multiple ttys going at once, but not have
> all of the extra network services like the dreaded ToolTalk server.

Since some of my users like to run CDE on their workstations, I have to do
some amount of hardening on them. The first step I take is installing
YASSP on the systems (http://www.yassp.org). Then I go back through and
re-enable ttdb and various other services that the particular user wants.

Part of YASSP installs TCP wrapprers (tcpd and an rpcbind linked to
libwrap), so I configure the /etc/hosts.allow to allow all from localhost
and deny the rest, so the services are essentially blocked.
/etc/inetd.conf has to be modified to use the wrappers, and you need to
confirm /etc/init.d/rpc is using WVrpcbind. The final change is in
/etc/yassp.conf, where you enable the startup for all the services you
want, since YASSP changes all the files in /etc/init.d to look to the
configuration file before starting the service.

I know a lot of people frown on pre-canned scripts to do the hardening for
them, opting to do it all by hand, but YASSP really shortens the amount of
time you have to spend doing it. Most people, if they do a lot of Solaris
installs, likesay in a lab, have a script they've written to do it anyway.

Anyway, I hope this helps.

--jon