Stuff that should be our target going forward ?

Miloslav Trmač mitr at volny.cz
Thu Oct 31 23:05:44 UTC 2013


On Thu, Oct 31, 2013 at 2:53 PM, Máirín Duffy <duffy at redhat.com> wrote:
> On 10/31/2013 09:39 AM, Simo Sorce wrote:
>> I think a good server experience will require that yum install firefox
>> on a headless system installs all required packages to make it work, is
>> this something we need to take care of going forward ?
>
> So stepping back, the use-case being proposed here is:
>
> 'Users of Fedora server will be able to install - at their option -
> software with graphical interfaces, and they will be able to
> successfully use these graphical interfaces via trusted X-forwarding
> (ssh -Y).'

I would stop at the comma; to me (ssh -Y) is an implementation detail,
we might be equally satisfied with a RDP server instead.  (Especially
if, as you suggest, Microsofty admin types are one of the targets.
With Wayland we'll be using a bitmap-pushing protocol anyway, won't
we?  Or is it really critical to tie this functionality to ssh,
perhaps to reuse ssh keys for authentication?)

(Speculatively we might instead consider deciding the really useful
functionality is available as web applications, not X11 applications,
and that we don't really need a X11-based GUI on the server; but
that's dependent on actually having done the research on what useful
applications exist and are popular, which I haven't done.)

(It seems to me that Firefox is one of the applications that one would
_least_ need to run remotely - just run Firefox locally.  OTOH Firefox
is one of the easier cases nowadays, with the desktop stacks
increasingly not taking non-local or non-primary sessions (like (su -)
and ssh) into account, as Remi points out.)

> The only concern that the more technical folks like you could address
> here - there are security implications on installing the whole set of
> stacks/libraries necessary to get a GUI app running on a server, right?

The security implications are non-zero, but decreasing over time.

It used to be useful to minimize the amount of software available on
the target system to be reused by the attacker (e.g. not have
interpreted languages compilers installed) because the networks were
very slow, storage was lacking, and binary compatibility was rare; so
pre-installed software was often reused by attackers both to minimize
the download time and to make the malware more portable (either making
it a shell or perl script, or shipping C source code to be compiled
locally).

Nowadays the hardware+OS=ABI diversity is much smaller, the size of
malware is frequently measured in megabytes, and they use even more
local disk space (which nobody ever notices because a single photo is
larger).  Malware can therefore easily include whatever is necessary
in its installation package instead of relying on the (potentially
incompatible) software already installed on the system, so the
benefits of not having software installed tend towards zero.

The one case where there still are security implications, and where
minimizing the installed software makes sense, are privilege
escalation paths: setuid programs, D-Bus servers, daemons.

So, overall, I think it would be well justified to just include
xorg-x11-xauth and a basic set of fonts in the default server
installation.  (Or in "the server installation profile aimed at
Windowsy users", providing a "really minimal and headless" profile?
I'm inclined to say that storage is cheap and the really minimal
profile just isn't needed, and within the context of the Server WG I
might be justified in ignoring Matt, who always patiently points out
that 200 MB * 10k guests on a SAN starts to get costly
 :) )
     Mirek


More information about the server mailing list