[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: avahi-daemon

I don't think so.

Are you god?

Even if the administrator makes mistakes and does not check what gets
installed the system should
be designed save.

In this case you are doing the same mistakes Microsoft did with Windows
all the time:
default installation comes with a 'strange' service (that nobody needs,
therefore nobody knows) sitting somewhere around and listening on ALL
interfaces. This is the reason why all these worms, i.e. MS Myblast,
owned all the systems. And this is paranoid?

In general a non-localhost interface is a security problem thus don't
open ports by default esspecially if this is some strange thing coming
'hidden' as a suggested pkg of a normal program.

An installation system should be responsible for the unexperienced users
as well. An experienced user will know how to activate this thing while
the unexperienced user is not even aware of this problem.

I suggest the pkg promts with something like "xyz is a service that does blah blah,
... For most users this service should bind only to a local area network
and not to the internet. (If you need this service at all) Do you want
to bind to all interface?" - with no as default!


 (btw. i found it so don't blame me with your argument)

Daniel Givens schrieb:

>The package maintainer has a point that an mDNS daemon would be pretty
>pointless if it only bound to lo. I think it is more the
>responsibility of the administrator to know what is going on his
>system. If you are so worried about security, then why not check out
>those NINE new Avahi packages when apt says they are going to be
>installed? If you miss it there, it is very prominently displayed on
>startup that the Avahi daemon is starting. "Oh noes! I'd better stop
>that and figure out exactly what it is." If you interested in a
>security report on Avahi, Ubuntu has one here.
>
>https://wiki.ubuntu.com/MainInclusionReportAvahi
>
>This is a service aimed at desktop use. If you're worried about it
>getting installed on a server, then you shouldn't be installing a
>music player on it either. You're contradicting yourself on your
>levels of paranoia.
>
>
>
>On 2/22/06, aliban <aliban@gmx.net> wrote:
>  
>
>>Hi,
>>
>>as the package maintainer seems to ignore my complaint I forward the discussion to debian-user mailing list.
>>
>>On debian testing the rhythmbox suggested to install the avahi-daemon that listens on all interfaces by default.
>>
>>I think this kind of install behaviour is insecure even if the package maintainer does not agree.
>>
>>In short I think: even if the user "should know what he is doing" when he updates his system it is not a secure design for packages to start listening on all interfaces by default without prompting AND warning the user. It is not sufficient to mention this behaviour somewhere in the package description as many packages come as a dependency or as a suggested package; users wont read every package description of every package they install, especially if they come as a suggested package or dependency.
>>
>>best regards.
>>
>>
>>Sjoerd Simons schrieb:
>>
>>
>>
>>
>>    
>>
>>>>>>>>>>On Mon, Feb 20, 2006 at 11:22:29PM +0100, Aliban wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>                    
>>>>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>            
>>>>>>
>>>>
>>>>
>>>>        
>>>>
>>>      
>>>
>>>>>>>>>>>>>>>>>>Package: avahi-daemon
>>>>>>>>>>>>>>>>>>Version: 0.6.6-1
>>>>>>>>>>>>>>>>>>Severity: normal
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>I don't know why this pkg was installed in my testing. For sure I did not
>>>>>>>>>>>>>>>>>>install it directly, maybe it was some strange dependency from something?
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>                                    
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>No strange dependencies. You probably got it because rhythmbox recommends it.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>                    
>>>>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>            
>>>>>>
>>>>
>>>>
>>>>        
>>>>
>>>      
>>>
>>Yes, I think that was the reason.
>>
>>
>>
>>
>>    
>>
>>>>>>>>>>>>>>>>>>Anyway, this thing listens on all interfaces by default. I think this design
>>>>>>>>>>>>>>>>>>is insecure. It should bind to localhost only (ok, this might not make sense
>>>>>>>>>>>>>>>>>>for such a service) OR it should ask the user for the interfaces it binds to.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>                                    
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>Uhm, yeah, well, an mDNS daemon that only listens on lo is completely useless.
>>>>>>>>>>If you would looked a little bit further you might have seen that the daemon
>>>>>>>>>>runs as a unprivileged user, version 0.6.6-2 of the package even runs in a
>>>>>>>>>>minimal chroot environment, so it's actually quite secure by design.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>                    
>>>>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>            
>>>>>>
>>>>
>>>>
>>>>        
>>>>
>>>      
>>>
>>I don't doubt that it has a quite secure design. Anyway, as soon as
>>something starts listening on the network this is a potential security
>>hole. In contrast to applications that are only contacting the internet
>>"on user's demand" (in example a webbrowser, email client or instant
>>messenger) this thing is always on and not depending on additional user
>>interaction, therefore it is a different level of 'taking care'.
>>
>>
>>
>>
>>    
>>
>>>>>>>>>>                    
>>>>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>            
>>>>>>
>>>>
>>>>
>>>>        
>>>>
>>>      
>>>
>>>>>>>>>>>>>>>>>>Please change the installer's  behaviour.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>                                    
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>If you don't want it, purge it from your system. Afaik everything that doesn't
>>>>>>>>>>directly need it only recommends it. Closing this bug
>>>>>>>>>>
>>>>>>>>>> Sjoerd
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>                    
>>>>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>            
>>>>>>
>>>>
>>>>
>>>>        
>>>>
>>>      
>>>
>>I did not have problems to remove it from the system, I just wonder why
>>something gets installed and opens a port and starts listening to all
>>interfaces without asking me, esspecially if I did not directly ask for
>>this program. Do you really expect all users to read every line of every
>>program description? When you install Adobe or Java from sun, did you
>>read every single word in the license? Would you like it if Adobe just
>>opens some 'obscure' service listening on all interfaces?
>>
>>Of course it does not make sense to install this daemon and listen only
>>on local host. Maybe the maybe the recommending should be removed but
>>this is another thing...
>>
>>Anyway, all I think is that users should be prompted (in example as
>>portmap does it).
>>
>>I suggest you add something like "xyz is a service that does blah blah,
>>... For most users this service should bind only to a local area network
>>and not to the internet. (If you need this service at all) Do you want
>>to bind to all interface?" - with no as default!
>>
>>I would be very happy if you can add such a thing.
>>
>>What do you think?
>>
>>Edrin
>>
>>
>>
>>
>>
>>
>>-- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a
>>subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>>
>>
>>--
>>To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
>>with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>>
>>
>>    
>>
>
>
>  
>
Reply to: