Re: Open then gates

To: debian-devel@lists.debian.org
Subject: Re: Open then gates
From: Russ Allbery <rra@debian.org>
Date: Fri, 14 May 2010 17:16:05 -0700
Message-id: <[🔎] 87wrv6vx2y.fsf@windlord.stanford.edu>
In-reply-to: <[🔎] 1273881425.31170.28.camel@fermat.scientia.net> (Christoph Anton Mitterer's message of "Sat, 15 May 2010 01:57:05 +0200")
References: <20091123233240.GB3498@rivendell> <20091124014626.GD29774@kunpuu.plessy.org> <20091124025256.GA11308@gnu.kitenet.net> <20091124071717.GD9409@rivendell> <87ocmqnghe.fsf@windlord.stanford.edu> <[🔎] 1273881425.31170.28.camel@fermat.scientia.net>

Christoph Anton Mitterer <calestyo@scientia.net> writes:

> Now that we have Ubuntu as competitor, which is nicely coloured and
> where everything "just works", let's try to imitate (and integrate
> Ubuntu stuff) as much as possible.

> Or even better,... let's use Windows as archetype.

> Why don't we add any user to the root group automatically!? Or even
> better give him/her full sudo rights!? Doesn't the typical desktop
> installation serve just one user anyway?

Why do you have this strong of a reaction to this change?  My first
assumption is that, for you to be this upset, you must not understand how
user-private groups work at all and therefore think that they form some
sort of security vulnerability.  If that's the case, I'm happy to try to
explain in other ways.  It took me some time to understand the concept as
well.

If you have more specific objections other than not understanding the way
they work, I'm afraid you're going to have to be more specific, because we
can't read your mind.  I think many people participating in this thread
would be open to being persuaded by a good argument.  But you need to
present one.

> I've seen so many examples recently, e.g. (IIRC) changing the default
> for portmap back to "bind to any interface".

My personal experience with portmap is that, for most systems, I don't
want it installed at all, and for those systems where I need it installed,
I also need it to respond to public network interfaces because it's there
in order to provide rendezvous service for network services.  I appreciate
Debian's committment to allowing portmap to not be installed at all so
that I can purge it completely on most systems.  A package that isn't even
installed is better than a package that's installed and listening to
localhost.

Maybe if you run a lot of NFS client systems, you have a different mix of
issues and end up with a lot of cases where you need portmap but only
listening to localhost?

Also, and I say this as someone who went out of my way to eliminate
portmap from systems for years, I think concerns over the security of
portmap at this point are overblown.  Yes, that daemon had a horrible
security track record, but that horrible security track record is about
five years old or more at this point, and it's been reasonably good
recently.

Judging from the changelog of portmap, there's been a *lot* of discussion
and angst over this decision over the years, and it wasn't one that was
made easily.  I think you're overstating this a bit as an example of a bad
direction.

> And I could list dozens of other examples, where packages behave(d) in a
> more or less insecure way or where a rather "open" default configuration
> was chosen.

Have you filed bugs?  Could you point people at some examples?

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: Open then gates
  - From: Christoph Anton Mitterer <calestyo@scientia.net>

References:
- Re: Open then gates (was: UPG and the default umask)
  - From: Christoph Anton Mitterer <calestyo@scientia.net>

Prev by Date: Re: Bug#581434: UPG and the default umask
Next by Date: Re: Open then gates (was: UPG and the default umask)
Previous by thread: Re: Open then gates (was: UPG and the default umask)
Next by thread: Re: Open then gates
Index(es):
- Date
- Thread