Default services enabled

Lennart Poettering mzerqung at 0pointer.de
Fri Aug 19 15:47:54 UTC 2011


On Fri, 19.08.11 11:03, Steve Grubb (sgrubb at redhat.com) wrote:

> 
> On Friday, August 19, 2011 10:50:51 AM Richard Hughes wrote:
> > On 19 August 2011 13:35, Steve Grubb <sgrubb at redhat.com> wrote:
> > > All security guidance says turn off or get rid of avahi. We really don't
> > > want to require it just to print.
> > 
> > Then "security" is flying in the face of usability.
> 
> Generally there is that tension. The main objections is that it makes discovering 
> system resources easy, which in terms of security is bad. It also used to punch a hole 
> in the firewall and add routing rules. All of this is bad for security. If you are 
> catering to a laptop crowd that wants to share music and pictures then avahi is no 
> concern.
> 
> If however you want a secure by default server OS, then avahi needs to default to 
> disabled. The concern is when its allowed by default, then people might start relying 
> on it to the extent that its impossible to remove later. For example, cups is used as 
> part of the LSPP certification. People running in a LSPP configuration would be horrified 
> to know avahi is now required for printing top secret documents.

Well, I think Fedora is more interested in real-life users than
synthetic certifications.

Also, running Avahi is probably a lot safer than CUPS. Don't forget that
Avahi is pretty much the only service in a default Fedora install that
chroot()s by default. On top of that it drops privileges and uses
capabilities and resource limits to minimize what it can do. It has been
doing pretty elaborate privilege separation since shortly after its
inception. It has been doing that since a long long time, much longer
than almost any other standard component of our Linux system. In fact I
am always a bit disapointed that it still is the only default component
that chroot()s. (Oh wait, there's another one now, rtkit, written by the
same smart guy).

CUPS otoh runs with root privileges, no chroot, no dropped
capabilities. If you manage to exploit CUPS you own the system. If you
manage to exploit Avahi you are trapped in an unprivileged chroot
container, with no ability to even create a file.

By disabling the native service discovery protocol in CUPS and moving
that into Avahi you hence get a substantial security benefit, not a loss
of security.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.


More information about the devel mailing list