Default services enabled

[Simo Sorce]

On Fri, 2011-08-19 at 17:47 +0200, Lennart Poettering wrote:
> On Fri, 19.08.11 11:03, Steve Grubb (sgrubb at redhat.com) wrote:
> 
> > 
> > On Friday, August 19, 2011 10:50:51 AM Richard Hughes wrote:
> > > On 19 August 2011 13:35, Steve Grubb <sgrubb at redhat.com> wrote:
> > > > All security guidance says turn off or get rid of avahi. We really don't
> > > > want to require it just to print.
> > > 
> > > Then "security" is flying in the face of usability.
> > 
> > Generally there is that tension. The main objections is that it makes discovering 
> > system resources easy, which in terms of security is bad. It also used to punch a hole 
> > in the firewall and add routing rules. All of this is bad for security. If you are 
> > catering to a laptop crowd that wants to share music and pictures then avahi is no 
> > concern.
> > 
> > If however you want a secure by default server OS, then avahi needs to default to 
> > disabled. The concern is when its allowed by default, then people might start relying 
> > on it to the extent that its impossible to remove later. For example, cups is used as 
> > part of the LSPP certification. People running in a LSPP configuration would be horrified 
> > to know avahi is now required for printing top secret documents.
> 
> Well, I think Fedora is more interested in real-life users than
> synthetic certifications.

Well, no, those certifications are used to give guideliness to people
that have to work in security sensitive settings, and I am sure many
Fedora users do care about security, some chose Fedora above other
because it is the only one that has decent SELinux policies beyond RHEL
to date.

> Also, running Avahi is probably a lot safer than CUPS. Don't forget that
> Avahi is pretty much the only service in a default Fedora install that
> chroot()s by default. On top of that it drops privileges and uses
> capabilities and resource limits to minimize what it can do. It has been
> doing pretty elaborate privilege separation since shortly after its
> inception. It has been doing that since a long long time, much longer
> than almost any other standard component of our Linux system. In fact I
> am always a bit disapointed that it still is the only default component
> that chroot()s. (Oh wait, there's another one now, rtkit, written by the
> same smart guy).

Avahi daemon security itself is not being questioned. It's the whole
protocol that is a huge security concern, given there is no verification
that the information you are getting is "true".

Avahi enables hosts to announce themselves with whatever name they want.
Just like netbios used to do. Which has serious implications about name
resolution in the system when stuff like mdns4_minimal is forcibly
installed *and* configured in Fedora. (I just discovered that after the
last few months of upgrades my machine agains has mdns4_minimal for the
hosts database line even though I explicitly commented it out for
example).

> CUPS otoh runs with root privileges, no chroot, no dropped
> capabilities. If you manage to exploit CUPS you own the system. If you
> manage to exploit Avahi you are trapped in an unprivileged chroot
> container, with no ability to even create a file.
> 
> By disabling the native service discovery protocol in CUPS and moving
> that into Avahi you hence get a substantial security benefit, not a loss
> of security.

For those that do not care about the security implication of printing on
a "random" printer, this is certainly a better proposition. Nobody is
complaining that cups browsing is being replaced by something better.

The complain is that avahi should not become a system component that is
impossible to deactivate, even better if the package containing the
daemon could be removed without causing issues, so that you can be sure
it will not be activated by mistake.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York