[_nmk]

Hi guys,

I would like to aks whether it is safe to disble the NetInfo server from /ets/hostconfig. What would that mean? I have no idea what netinfo is used for anyway...

Many thanks in advance,
nmk

[gorickey]

Why do you want to disable it? Is the NetInfo database causing problems or something?

[_nmk]

I do not like having extra daemons running. Plus, I don't know what it is for.

[philzilla]

Originally posted by _nmk:
I do not like having extra daemons running. Plus, I don't know what it is for.

haha, good luck with the rest of the answers you get, after that.

[gorickey]

Originally posted by _nmk:
I do not like having extra daemons running. Plus, I don't know what it is for.

NetInfo is Mac OS X's central database of user accounts, groups, passwords, printers, computers, etc. etc...I would HIGHLY suggest not to disable it...

[Kate]

..unless you like install sessions that is.

[Millennium]

Don't do it; it's still needed for things like user databases and such. Apple has deprecated NetInfo, and is in the process of switching all of its functions over to other methods, such as LDAP. However, that process is not yet complete.

By the way, you state that you "don't like having extra daemons running": out of curiosity, why is this?

[_nmk]

Originally posted by Millennium:
By the way, you state that you "don't like having extra daemons running": out of curiosity, why is this?

(The 1656 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
111/tcp open rpcbind
669/tcp open unknown
1033/tcp open netinfo


It is possible that these can only be seen from my machine, but I am concerned still.

[Angus_D]

Originally posted by _nmk:
It is possible that these can only be seen from my machine, but I am concerned still.

OH NO! LISTENING ON 3 PORTS LOCALLY! WHAT AM I TO DO?!?!?!

Seriously, this is not a problem. You want NetInfo, trust us. You can actually disable NetInfo, but it's more complicated than just stopping the daemon from launching, and will probably break things (it's generally expected to be running).

[Gavin]

NetInfo is a major system component. You are getting some flippant answers because the question is like:

Can I throw the /Library folder out?

In the utilities folder there is an app called NetInfoManager. You can use it to see what NetInfo stores.

[yukon]

Wow, quit railing on the guy for wanting to get info on and disable possibly unnecessary daemons. I don't see a problem with it, he's doing the correct thing. Unnecessary things use resources and add vectors for security risks, as shown by what seems to be open ports.

Best to leave NetInfo as said above. There are a few daemons running on my machine that a google search got no hits a while after I first installed Panther, I understand where you're coming from.

[Angus_D]

Originally posted by yukon:
Wow, quit railing on the guy for wanting to get info on and disable possibly unnecessary daemons. I don't see a problem with it, he's doing the correct thing. Unnecessary things use resources and add vectors for security risks, as shown by what seems to be open ports.

No. If you don't know what it does, you don't know whether it's necessary or not, so the idea of "let's see if I can disable it" is not a healthy one. OS X has lots of daemons running under NORMAL USAGE, it's not always immediately appropriate what they do. If you deliberately go in and disable these with the idea of "reducing resource usage" (come on, netinfod is hardly consuming oodles of CPU cycles) you can (and probably will) fsck yourself over.

As far as "adding vectors for security risks" goes, NetInfo only listens for LOCAL connections. No remotely exploitable security holes here, move along now.

[_nmk]

Originally posted by Angus_D:
No. If you don't know what it does, you don't know whether it's necessary or not, so the idea of "let's see if I can disable it" is not a healthy one.

That's why I asked here, instead of disabling it. Now I know better.

[utidjian]

Originally posted by _nmk:
That's why I asked here, instead of disabling it. Now I know better.

Also, for future reference, it is pretty much useless to scan (looks like you used nmap) your machine from that same machine. Such a an internal will may show you nothing about external ports. You need to scan your machine from a separate machine on your LAN. It doesn't have to be a Mac... any machine that can run nmap or some other portscanner will do. I think you will find that the port for netinfo is not open to the outside.

About the only important thing that is exposed to the outside (outside of your machine) is port 111 (rpcbind). This is the portmapper that will map ports to services as required. You can clamp down on that even more if you like and specify that only certain IPs can connect to certain services. Read up on xinetd, portmap, hosts_equiv, and anything in the "See also:" section of their respective manpages.

[yukon]

No. If you don't know what it does, you don't know whether it's necessary or not, so the idea of "let's see if I can disable it" is not a healthy one. OS X has lots of daemons running under NORMAL USAGE, it's not always immediately appropriate what they do.

Yeah, I guess you're right, he should have asked people who knew whether it could be disabled or not, before he made his system inoperable. Unless he did ask someone what it was, in which case I suppose we'd have no way of knowing that, so we can't answer him . I'm guessing you meant "understood", because if what they do is not appropriate , then they should be disabled.

To the guy it looked like his system may have been running an unknown and unnecessary service with ports open. Good for him for asking.

[utidjian]

Originally posted by yukon:
Yeah, I guess you're right, he should have asked people who knew whether it could be disabled or not, before he made his system inoperable. Unless he did ask someone what it was, in which case I suppose we'd have no way of knowing that, so we can't answer him . I'm guessing you meant "understood", because if what they do is not appropriate , then they should be disabled.

To the guy it looked like his system may have been running an unknown and unnecessary service with ports open. Good for him for asking.

Certainly...

Now that Apple has a Unix core system for its OS it is much more "knowable" and, arguably, more should be known about how it works... if the user is interested.

Yet... where is a user to begin?

Try 'ps aux | wc -l' I get 55 processes. Now do 'ps aux | less', perhaps I know quarter to a half of what all that stuff is (cron, portmap, init...) But what about slpd, notifyd, update, ioupsd, etc...?

Take the OP question about netinfod and say he actually knew about Terminal.app and even a few Unix commands...
On my system netinfod is running like this:
netinfod -s local
Now
man netinfod
tells us nothing about the '-s local' options.
man -k netinfo
tells us nothing about '-s local' options.
sudo netinfod -h
tells us nothing about '-s local' options.

Lets try
locate netinfo
which tells us something useful...
/Developer/Documentation/DarwinCoreOS/Conceptual/howto/netinfo/netinfo.html
However... open that local html file and all it does is point to a dead link. The actual document was last updated in 2001 and looks like it is part of the X-Code tools package.

I did a search on Apples site and there isn't much there about Netinfo and netinfod that I don't have already (mostly manpages). Nothing about the '-s local' options. Google for it and I get more useful information, none of it on Apples site.

Even more difficult to tell from a newbie prespective why netinfod should be running at all.

Though it is a good thing that someone is trying to make their system as secure as possible it doesn't do much good to give people portscanning tools and not also explain what is and is not "normal" to expect to find in the results. What is "normal" will vary from system to system, OS to OS, and location to location.

[Millennium]

Another thing you should know about NetInfo's ports, by the way: by default, they are configured to respond only to requests from localhost (that is, NetInfo only responds to requests from the machine it's running on). You can verify this by port-scanning your Mac from any machine other than itself. As long as you make sure that this configuration is not changed, you should be safe. You can add a second line of defense if you want, by configuring your firewall to not allow any machine other than localhost to even initiate connections to these ports. Other machines will get exactly the same response as before, but this way even if someone finds a weakness in NetInfo you'll still have the firewall protecting you until a fix can be released.