Stuff that should be our target going forward ?

Simo Sorce simo at redhat.com
Thu Oct 31 23:23:05 UTC 2013


On Fri, 2013-11-01 at 00:05 +0100, Miloslav Trmač wrote:
> On Thu, Oct 31, 2013 at 2:53 PM, Máirín Duffy <duffy at redhat.com> wrote:
> > On 10/31/2013 09:39 AM, Simo Sorce wrote:
> >> I think a good server experience will require that yum install firefox
> >> on a headless system installs all required packages to make it work, is
> >> this something we need to take care of going forward ?
> >
> > So stepping back, the use-case being proposed here is:
> >
> > 'Users of Fedora server will be able to install - at their option -
> > software with graphical interfaces, and they will be able to
> > successfully use these graphical interfaces via trusted X-forwarding
> > (ssh -Y).'
> 
> I would stop at the comma; to me (ssh -Y) is an implementation detail,
> we might be equally satisfied with a RDP server instead.  (Especially
> if, as you suggest, Microsofty admin types are one of the targets.
> With Wayland we'll be using a bitmap-pushing protocol anyway, won't
> we?  Or is it really critical to tie this functionality to ssh,
> perhaps to reuse ssh keys for authentication?)
> 
> (Speculatively we might instead consider deciding the really useful
> functionality is available as web applications, not X11 applications,
> and that we don't really need a X11-based GUI on the server; but
> that's dependent on actually having done the research on what useful
> applications exist and are popular, which I haven't done.)
> 
> (It seems to me that Firefox is one of the applications that one would
> _least_ need to run remotely - just run Firefox locally.  OTOH Firefox
> is one of the easier cases nowadays, with the desktop stacks
> increasingly not taking non-local or non-primary sessions (like (su -)
> and ssh) into account, as Remi points out.)
> 
> > The only concern that the more technical folks like you could address
> > here - there are security implications on installing the whole set of
> > stacks/libraries necessary to get a GUI app running on a server, right?
> 
> The security implications are non-zero, but decreasing over time.
> 
> It used to be useful to minimize the amount of software available on
> the target system to be reused by the attacker (e.g. not have
> interpreted languages compilers installed) because the networks were
> very slow, storage was lacking, and binary compatibility was rare; so
> pre-installed software was often reused by attackers both to minimize
> the download time and to make the malware more portable (either making
> it a shell or perl script, or shipping C source code to be compiled
> locally).
> 
> Nowadays the hardware+OS=ABI diversity is much smaller, the size of
> malware is frequently measured in megabytes, and they use even more
> local disk space (which nobody ever notices because a single photo is
> larger).  Malware can therefore easily include whatever is necessary
> in its installation package instead of relying on the (potentially
> incompatible) software already installed on the system, so the
> benefits of not having software installed tend towards zero.
> 
> The one case where there still are security implications, and where
> minimizing the installed software makes sense, are privilege
> escalation paths: setuid programs, D-Bus servers, daemons.
> 
> So, overall, I think it would be well justified to just include
> xorg-x11-xauth and a basic set of fonts in the default server
> installation.  (Or in "the server installation profile aimed at
> Windowsy users", providing a "really minimal and headless" profile?
> I'm inclined to say that storage is cheap and the really minimal
> profile just isn't needed, and within the context of the Server WG I
> might be justified in ignoring Matt, who always patiently points out
> that 200 MB * 10k guests on a SAN starts to get costly
>  :) )

200MB x 5 guests is costly on my small SSD too ...

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



More information about the server mailing list