service accepting commands from the network by default
kevin at scrye.com
Sun Feb 22 20:08:34 UTC 2015
On Sun, 22 Feb 2015 15:04:18 +0100
Zbigniew Jędrzejewski-Szmek <zbyszek at in.waw.pl> wrote:
> Are Fedora packages allowed to have a default configuration in which
> the service accepts commands from the network in the default
Commands from the network what sort of commands?
Perhaps you had an example package in mind that caused you to bring
There's nothing I can think of off hand in the packaging guidelines
about accepting commands from the network in default config. It sounds
like common sense would be to avoid such a thing tho.
> The daemon is not enabled by default, so the administrator has to do a
> systemctl enable/start first.
Right, there are guidelines on this
> This means that just installing the
> package does not create a problem, and an explicit admin action is
> necessary for the daemon to start listening. Nevertheless, I'm still
> worried that people will start the service to try it out without
> reading the fine print and will be vulnerable to attack. I would think
> that the Packaging Guidelines cover this, but I don't think they do.
As the saying goes "It's hard to legislate common sense" (ie, it's hard
to write down every single thing people should/should not do).
Many packages in this situation at least listen only on localhost, so
the issue isn't remote access anyhow.
IMHO, I would talk to the package maintainer(s) and ask them to do
something to improve the situation.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the devel