[plug] fam explained: don't panic!

Cameron Patrick cameron at patrick.wattle.id.au
Sat Nov 22 00:46:26 WST 2003


On Fri, Nov 21, 2003 at 11:24:13PM +0800, Chris Caston wrote:

| > > I seem to have famd running while apparently keeps track of when there
| > > are changes in the file system. It has worrying options in /etc/fam.conf
| > > like:
| > > 
| > > insecure_compatibility = false
| > > local_only = false
| > > untrusted_user = nobody
| > > 
| > > I have no idea where else this could have come from.
| > 
| > What are you saying? Is this part of the Debian thread at all? Are you
| > talking about your own machine? Did you install famd yourself or are you
| > saying it doesn't belong to any package and you don't remember
| > installing it yourself?
| > 
| 
| Yeah that one. I'd never heard of it before and I think it might be sus.

I think it's perfectly normal.  It's used by KDE and GNOME, amongst
others, to receive notifications when the contents of a directory
changes, allowing them to automatically refresh the contents of a
Konqueror window or whatever.  'man fam' describes it as a 'file
alteration monitor', and gives a list of possible security issues it may
cause.

I also have an /etc/fam.conf; it is dated 14 October 2003, and contains
the same three options that you thought were worrying.  I have also not
installed any Debian packages in the last few days, so if it is due to a
compromise, it wasn't the compromise of the Debian machines that you
mentioned earlier.

After reading the descriptions of the options in the man page, the
options sound like reasonable defaults - except perhaps 'local_only =
false', which allows other machines to connect to the FAM services.
OTOH because 'insecure_compatibility' is turned off, they would have to
have a valid login and password on your machine to connect; even after
connecting, all it would allow someone to do is obtain a list of files
in some arbitrary directory (but not file contents!).

As James suggested, 'apt-cache showpkg fam' will give you a list of some
packages which use fam.  More packages, however, link to fam as a
library; 'apt-cache showpkg libfam0c102' (on sid) or 'apt-cache showpkg
libfam0' (on woody) will give you a much longer long list.

If you /are/ feeling paranoid, the chances are you can just 'apt-get
remove fam' without causing major damage to your system.  KDE and GNOME
both only require the fam library, not the daemon itself, although it
is pulled in by the gnome-core metapackage (i.e. not a real package,
just a list of Depends: that get you a working GNOME system) - so the
chances are, it came when you installed GNOME.  If you remove it, of
course, your file manager folder lists won't automatically refresh when
directory contents change.

Cameron.


_______________________________________________
plug mailing list
plug at plug.linux.org.au
http://mail.plug.linux.org.au/cgi-bin/mailman/listinfo/plug


More information about the plug mailing list