Sunday, May 11, 2008

Least Bit Server Installs - What NOT to do

Wow - I thought that this kind of crud had been eliminated years ago.

I did a live upgrade of my home office Solaris 10 server to the latest release (05/08), created a new zone, booted it and found:

online         May_10   svc:/network/finger:default
online May_10 svc:/network/rpc/rusers:default
online May_10 svc:/network/login:rlogin


rlogin? finger? rusers? Is it 1995 all over again? I quit using them a decade ago.

So I did a little digging. The global zone still has the SUNWrcmds package, and that package got rolled into the new zone. The actual commands were disabled on the global zone years ago, back when this was a Solaris 8 server, but they were never uninstalled. The new zone inherited the package, but instead of leaving them disabled, they ended up enabled in the service framework on the new zone.

This is a classic example of why dead software needs to get uninstalled, not just disabled. I've seen ghosts from the past come back to haunt me more than once.

Read the Least Bit Principle. Then do as I say, not as ( ...cough.... ahem...) I do.

Unfortunately, in this case, it looks like Sun has those long-dead-obsolete-unsecure-replaced-by-SSH commands packaged up with enough dependencies that I'm not sure I'll be able to remove them cleanly.

--Mike



No comments:

Post a Comment