Torvalds:requiring root password for mundane things is moronic

Thu Mar 1 14:11:53 UTC 2012

On Wed, 29.02.12 18:27, Simo Sorce (simo at redhat.com) wrote:

> On Thu, 2012-03-01 at 00:17 +0100, Lennart Poettering wrote:
> > On Wed, 29.02.12 17:51, Simo Sorce (simo at redhat.com) wrote:
> > 
> > > On Wed, 2012-02-29 at 10:09 -0700, Chris Murphy wrote:
> > > > On Feb 29, 2012, at 5:15 AM, drago01 wrote:
> > > > 
> > > > > On Wed, Feb 29, 2012 at 1:02 PM, Neal Becker <ndbecker2 at gmail.com> wrote:
> > > > >> I think he's got a point
> > > > >> 
> > > > >> http://www.osnews.com/story/25659/Torvalds_requiring_root_password_for_mundane_things_is_quot_moronic_quot_
> > > > > 
> > > > 
> > > > My example is mDNS being blocked in the Firewall by default *and* it requires a root password to unblocked it. Completely retarded.
> > > 
> > > Except that mDNS is a real security issue (because you can hijack name
> > > resolution quite easily with it).
> > 
> > Can you? How so?
> > 
> > Sure, you can muck with the .local domain, since that's the mDNS domain,
> > but hey, if you are stupid enough to trust the .local domain in insecure
> > networks, then it is your own fault, as the suffix ".local" kinda comes
> > with this big implied label of "HEY! THIS DOMAIN IS RESOLVED FROM DATA
> > MULTICASTED ON THE LOCAL LINK".
> 
> Yeah unfortunately there are a ton of sites that use the .local suffix
> for their local domain for example. Some predate mDNS hijacking of it
> for 'untrusted local stuff'.

Well, I don't consider this really that much of a *security*
issue. Unicast DNS domains called ".local" are made entirely unavailable
if mDNS is used, which is the default on MacOS and Linux. I am sure
there are still setups which use .local in unicast domains, but things
are not really primarily insecure for them, but they are *entirely
broken* for them. That's a completely different quality.

> Also you should really define 'You' here. Because the issue is that mDNS
> in Fedora is inserted by default in the hosts database and IIRC before
> DNS, so it get a chance to always reply before a DNS query is made. This
> of course makes sense for its uses, why ask the DNS if you know this is
> a .local name that the DNS should not know about ?

The NSS module is authoritative for .local and .local only. It will not
respond for host lookups outside this domains, and hence cannot be used
to muck around with anything outside the mDNS domain .local. You cannot
override normal unicast host names via multicast.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.