service accepting commands from the network by default
Zbigniew Jędrzejewski-Szmek
zbyszek at in.waw.pl
Sun Feb 22 20:12:01 UTC 2015
On Sun, Feb 22, 2015 at 07:51:06PM +0100, Reindl Harald wrote:
> and then comes the default firewall on F21 workstation with all
> ports > 1024 open because things "have to work out of the box"
Yes, this is the reason why I'm asking. If there was a restrictive
firewall by default, this would not be an issue.
> Am 22.02.2015 um 19:46 schrieb M. Edward (Ed) Borasky:
> >Yes, I would think:
> >
> >a) all services should be disabled and their ports closed by default, and
> >b) the documentation should describe how to enable the service and
> >open the ports
It's not really clear what you mean by your answer. Does "yes" mean
that this *should* be allowed? Also please note that the service in
question is disabled by default, and requires a 'systemctl start' to
start. Is this enough?
Zbyszek
> >On Sun, Feb 22, 2015 at 6:04 AM, Zbigniew Jędrzejewski-Szmek
> ><zbyszek at in.waw.pl> wrote:
> >>Are Fedora packages allowed to have a default configuration in which
> >>the service accepts commands from the network in the default
> >>configuration?
> >>
> >>The daemon is not enabled by default, so the administrator has to do a
> >>systemctl enable/start first. This means that just installing the
> >>package does not create a problem, and an explicit admin action is
> >>necessary for the daemon to start listening. Nevertheless, I'm still
> >>worried that people will start the service to try it out without
> >>reading the fine print and will be vulnerable to attack. I would think
> >>that the Packaging Guidelines cover this, but I don't think they do.
>
> --
> devel mailing list
> devel at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
More information about the devel
mailing list