allowing programs to open ports

Reindl Harald h.reindl at thelounge.net
Mon Dec 22 13:03:12 UTC 2014


Am 22.12.2014 um 11:49 schrieb Florian Weimer:
> On 12/21/2014 05:28 PM, Björn Persson wrote:
>
>> Alternatively, cut out the packet filter and have GlibC ask the user
>> whether the call to bind or connect shall be allowed to succeed (or
>> automatically allow or deny the call if so configured). This has the
>> advantage that the program is informed that it's not allowed to
>> communicate.
>
> glibc is the wrong place for this, and a patch in this direction has
> absolutely zero chance of being accepted upstream.  We also ship
> applications which call system calls directly, not through glibc, so
> patching glibc would not even work at a technical level.
>
> However, a Linux Security Module such as SELinux could audit socket
> creation, and provide the user with means to override the default
> choices.  However, this will be extremely controversial (even more so
> than the open firewall) because it will remind people of “personal
> firewalls” on Windows.

and exactly the behavior of "personal firewalls" on Windows is needed 
when somebody insinuates users can't handle a static firewall 
configuration at all and a few broken applications with random ports 
don't get fixed by intention

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20141222/132900dc/attachment.sig>


More information about the devel mailing list