NM generated IPv6 addresses leak your MAC address
by Chris Murphy
https://bugzilla.redhat.com/show_bug.cgi?id=1279242
The gist of this bug is that NetworkManager on Fedora 23 and Rawhide
does not have RFC4941 privacy extensions enabled. So the IPv6 address
is predicated on a real MAC address (at least on baremetal) and the
address is not temporary and is never deprecated. This is reported to
have worked correctly on Fedora 22.
Could this be assessed for security impact, in particular as it
relates to Fedora release criteria?
https://fedoraproject.org/wiki/Fedora_24_Final_Release_Criteria#Security_...
How would this get fixed with an update? Is there a mechanism to sed
the user configuration to change ipv6.ip-privacy to 2? Or is this
something that's likely stuck with a value of -1 for the live of the
release, unless the user manually makes a change?
Thanks,
--
Chris Murphy
7 years, 7 months
Use suid_dumpable=2 for development releases
by Jakub Filak
Hello,
As an ABRT maintainer, I have been asked several times why ABRT does not
catch
crashes of many processes and one kind of reasons dominate among other
reasons -
processes that executes set-user-ID programs (man 5 core). These
processes are
not dumped at all if the value of /proc/sys/fs/suid_dumpable is 0 (man 5
proc)
which is the default value. With the default suid_dumpable value, crashes
caused by SIGABRT are not detectable because kernel doesn't even write a
log message about that.
The default value 0 is there for good security reason, but I would like to
propose changing the default value to 2 for development Fedora releases
(Alpha,
Beta, Rawhide). In this case, kernel would send core dump to ABRT (or
systemd-coredump) and the ABRT record would be accessible only to root.
I believe that maintainers of packages like chrony will be really delighted
with this change, while will not weaken security of Fedora for regular
users.
Regards,
Jakub
7 years, 7 months