Re: avahi-daemon

To: debian-security@lists.debian.org
Subject: Re: avahi-daemon
From: Loïc Minier <lool+debian@via.ecp.fr>
Date: Wed, 22 Feb 2006 15:23:42 +0100
Message-id: <[🔎] 20060222142342.GD17249@bee.dooz.org>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 43FC4A6C.9010801@gmx.net>
References: <[🔎] 43FC4A6C.9010801@gmx.net>

        Hi,

On Wed, Feb 22, 2006, aliban wrote:
> as the package maintainer seems to ignore my complaint I forward the
> discussion to debian-user mailing list.

 I am the package maintainer of Rhythmbox, am I the package maintainer
 you refer to?  Or did you mean the avahi-daemon package manager?

> On debian testing the rhythmbox suggested to install the avahi-daemon
> that listens on all interfaces by default.

 It used to Depend on it (ie. MUST install avahi-daemon to be able to
 install rhythmbox), but this has been downgraded to Recommends (ie. in
 some rare cases, it might be legitimate not to install it and face the
 consequences).  If you feel paranoid, you can uninstall avahi-daemon,
 but don't complain that music sharing doesn't work.

> I think this kind of install behaviour is insecure even if the package
> maintainer does not agree.

 Are you building a secure machine?  Are you running Firefox and
 browsing web pages written by strangers?  Security is not only
 about not listening on any port.

 The default Debian distribution doesn't come with an iptables rule
 denying all traffic (inbound and outbound), you're free to add it.

 If you do install a GNOME desktop environment, expect to have a web
 browser which might run malicious code, games which might be sgid
 games, and tons of stuff which might be opening more doors than you
 like.

> In short I think: even if the user "should know what he is doing" when
> he updates his system it is not a secure design for packages to start
> listening on all interfaces by default without prompting AND warning
> the user. It is not sufficient to mention this behaviour somewhere in
> the package description as many packages come as a dependency or as a
> suggested package; users wont read every package description of every
> package they install, especially if they come as a suggested package
> or dependency.

 People want more features, people want a working desktop by default,
 people want their USB key mounted automatically when it's connected,
 even if it might trigger some malicious vfat code, they want their iPod
 synced automatically with the library by default, they want to see
 network shares by default, they want to be able to share their data, be
 it via DAAP, SMB, or DAV...

 What you want is the opposite of plug and play: closing all doors and
 requiring people to open N doors to use a high-level feature such as
 music browsing is *not* intuitive.

 Parts of this discussion are available in #349478.

    Cheers,

-- 
Loïc Minier <lool@dooz.org>
Current Earth status:   NOT DESTROYED

Reply to:

Follow-Ups:
- Re: avahi-daemon
  - From: Michael Stone <mstone@debian.org>
- Re: avahi-daemon
  - From: aliban <aliban@gmx.net>

References:
- avahi-daemon
  - From: aliban <aliban@gmx.net>

Prev by Date: Re: avahi-daemon
Next by Date: Re: avahi-daemon
Previous by thread: Re: avahi-daemon
Next by thread: Re: avahi-daemon
Index(es):
- Date
- Thread