[plug] fam explained: don't panic!

Chris Caston caston at arach.net.au
Sat Nov 22 07:54:57 WST 2003


Thanks Mate,

I still have a feeling should rebuild this machine just incase or at
make it an LTSP client on the Athon 2000 box I picked up a few days ago.

regards,

Chris

On Sat, 2003-11-22 at 00:46, Cameron Patrick wrote:
> On Fri, Nov 21, 2003 at 11:24:13PM +0800, Chris Caston wrote:
> 
> | > > I seem to have famd running while apparently keeps track of when there
> | > > are changes in the file system. It has worrying options in /etc/fam.conf
> | > > like:
> | > > 
> | > > insecure_compatibility = false
> | > > local_only = false
> | > > untrusted_user = nobody
> | > > 
> | > > I have no idea where else this could have come from.
> | > 
> | > What are you saying? Is this part of the Debian thread at all? Are you
> | > talking about your own machine? Did you install famd yourself or are you
> | > saying it doesn't belong to any package and you don't remember
> | > installing it yourself?
> | > 
> | 
> | Yeah that one. I'd never heard of it before and I think it might be sus.
> 
> I think it's perfectly normal.  It's used by KDE and GNOME, amongst
> others, to receive notifications when the contents of a directory
> changes, allowing them to automatically refresh the contents of a
> Konqueror window or whatever.  'man fam' describes it as a 'file
> alteration monitor', and gives a list of possible security issues it may
> cause.
> 
> I also have an /etc/fam.conf; it is dated 14 October 2003, and contains
> the same three options that you thought were worrying.  I have also not
> installed any Debian packages in the last few days, so if it is due to a
> compromise, it wasn't the compromise of the Debian machines that you
> mentioned earlier.
> 
> After reading the descriptions of the options in the man page, the
> options sound like reasonable defaults - except perhaps 'local_only =
> false', which allows other machines to connect to the FAM services.
> OTOH because 'insecure_compatibility' is turned off, they would have to
> have a valid login and password on your machine to connect; even after
> connecting, all it would allow someone to do is obtain a list of files
> in some arbitrary directory (but not file contents!).
> 
> As James suggested, 'apt-cache showpkg fam' will give you a list of some
> packages which use fam.  More packages, however, link to fam as a
> library; 'apt-cache showpkg libfam0c102' (on sid) or 'apt-cache showpkg
> libfam0' (on woody) will give you a much longer long list.
> 
> If you /are/ feeling paranoid, the chances are you can just 'apt-get
> remove fam' without causing major damage to your system.  KDE and GNOME
> both only require the fam library, not the daemon itself, although it
> is pulled in by the gnome-core metapackage (i.e. not a real package,
> just a list of Depends: that get you a working GNOME system) - so the
> chances are, it came when you installed GNOME.  If you remove it, of
> course, your file manager folder lists won't automatically refresh when
> directory contents change.
> 
> Cameron.
> 
> 
> _______________________________________________
> plug mailing list
> plug at plug.linux.org.au
> http://mail.plug.linux.org.au/cgi-bin/mailman/listinfo/plug
> 

_______________________________________________
plug mailing list
plug at plug.linux.org.au
http://mail.plug.linux.org.au/cgi-bin/mailman/listinfo/plug


More information about the plug mailing list