avahi-daemon

To: debian-security@lists.debian.org
Subject: avahi-daemon
From: aliban <aliban@gmx.net>
Date: Wed, 22 Feb 2006 12:26:36 +0100
Message-id: <[🔎] 43FC4A6C.9010801@gmx.net>

Hi,

as the package maintainer seems to ignore my complaint I forward the discussion to debian-user mailing list.

On debian testing the rhythmbox suggested to install the avahi-daemon that listens on all interfaces by default.

I think this kind of install behaviour is insecure even if the package maintainer does not agree.

In short I think: even if the user "should know what he is doing" when he updates his system it is not a secure design for packages to start listening on all interfaces by default without prompting AND warning the user. It is not sufficient to mention this behaviour somewhere in the package description as many packages come as a dependency or as a suggested package; users wont read every package description of every package they install, especially if they come as a suggested package or dependency.

best regards.

Sjoerd Simons schrieb:

>>>>>>>>On Mon, Feb 20, 2006 at 11:22:29PM +0100, Aliban wrote:
>>>>>>>>  
>>>>>>>>
>>>>        
>>>>
>>>>    
>>>>
>>>>  
>>>>
>>    
>>
>>  
>>
>  
>
>>>>>>>>>>>>>>>>Package: avahi-daemon
>>>>>>>>>>>>>>>>Version: 0.6.6-1
>>>>>>>>>>>>>>>>Severity: normal
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>I don't know why this pkg was installed in my testing. For sure I did not
>>>>>>>>>>>>>>>>install it directly, maybe it was some strange dependency from something?
>>>>>>>>>>>>>>>>    
>>>>>>>>>>>>>>>>
>>>>>>>>                
>>>>>>>>
>>>>>>>>        
>>>>>>>>
>>>>>>>>    
>>>>>>>>
>>>>>>>>
>>>>>>>>No strange dependencies. You probably got it because rhythmbox recommends it. 
>>>>>>>>
>>>>>>>>  
>>>>>>>>
>>>>        
>>>>
>>>>    
>>>>
>>>>  
>>>>
>>    
>>
>>  
>>
>  
>
Yes, I think that was the reason.

>>>>>>>>>>>>>>>>Anyway, this thing listens on all interfaces by default. I think this design
>>>>>>>>>>>>>>>>is insecure. It should bind to localhost only (ok, this might not make sense
>>>>>>>>>>>>>>>>for such a service) OR it should ask the user for the interfaces it binds to.
>>>>>>>>>>>>>>>>    
>>>>>>>>>>>>>>>>
>>>>>>>>                
>>>>>>>>
>>>>>>>>        
>>>>>>>>
>>>>>>>>    
>>>>>>>>
>>>>>>>>
>>>>>>>>Uhm, yeah, well, an mDNS daemon that only listens on lo is completely useless.
>>>>>>>>If you would looked a little bit further you might have seen that the daemon
>>>>>>>>runs as a unprivileged user, version 0.6.6-2 of the package even runs in a
>>>>>>>>minimal chroot environment, so it's actually quite secure by design.
>>>>>>>>  
>>>>>>>>
>>>>        
>>>>
>>>>    
>>>>
>>>>  
>>>>
>>    
>>
>>  
>>
>  
>
I don't doubt that it has a quite secure design. Anyway, as soon as
something starts listening on the network this is a potential security
hole. In contrast to applications that are only contacting the internet
"on user's demand" (in example a webbrowser, email client or instant
messenger) this thing is always on and not depending on additional user
interaction, therefore it is a different level of 'taking care'.

>>>>>>>>  
>>>>>>>>
>>>>        
>>>>
>>>>    
>>>>
>>>>  
>>>>
>>    
>>
>>  
>>
>  
>
>>>>>>>>>>>>>>>>Please change the installer's  behaviour.
>>>>>>>>>>>>>>>>    
>>>>>>>>>>>>>>>>
>>>>>>>>                
>>>>>>>>
>>>>>>>>        
>>>>>>>>
>>>>>>>>    
>>>>>>>>
>>>>>>>>
>>>>>>>>If you don't want it, purge it from your system. Afaik everything that doesn't
>>>>>>>>directly need it only recommends it. Closing this bug
>>>>>>>>
>>>>>>>>  Sjoerd
>>>>>>>>  
>>>>>>>>
>>>>        
>>>>
>>>>    
>>>>
>>>>  
>>>>
>>    
>>
>>  
>>
>  
>
I did not have problems to remove it from the system, I just wonder why
something gets installed and opens a port and starts listening to all
interfaces without asking me, esspecially if I did not directly ask for
this program. Do you really expect all users to read every line of every
program description? When you install Adobe or Java from sun, did you
read every single word in the license? Would you like it if Adobe just
opens some 'obscure' service listening on all interfaces?

Of course it does not make sense to install this daemon and listen only
on local host. Maybe the maybe the recommending should be removed but
this is another thing...

Anyway, all I think is that users should be prompted (in example as
portmap does it).

I suggest you add something like "xyz is a service that does blah blah,
... For most users this service should bind only to a local area network
and not to the internet. (If you need this service at all) Do you want
to bind to all interface?" - with no as default!

I would be very happy if you can add such a thing.

What do you think?

Edrin

-- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a
subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: avahi-daemon
  - From: "Daniel Givens" <daniel@rugmonster.org>
- Re: avahi-daemon
  - From: Loïc Minier <lool+debian@via.ecp.fr>
- Re: avahi-daemon
  - From: Henrique de Moraes Holschuh <hmh@debian.org>

Prev by Date: Re: ping problem
Next by Date: Re: avahi-daemon
Previous by thread: Re: ping problem
Next by thread: Re: avahi-daemon
Index(es):
- Date
- Thread