Re: avahi-daemon

[Henrique de Moraes Holschuh <hmh@debian.org>]

On Fri, 03 Mar 2006, Loïc Minier wrote:
>  This is a desktop machine, it should permit sharing of files on your
>  local network.  DNS servers have their port 53 open to respond to name

In what planet do you live?  Desktop machines are plugged to extremely
hostile networks all the time (think cable modems).

There is no *should* here, at all.

>  Well, no: that's the opposite of plug'n'play.  See, if you're USB stick
>  contains a malicious vfat file system, it gets automatically mounted
>  nevertheless.  It's a feature.

Not in my servers, it doesn't.  And I should add, not even in my desktops:
all removable filesystems are mounted nodev, nosuid.

Mounting malicious filesystems automatically (vfat can't be one AFAIK, but
it won't bork if you tell it to be nosuid, nodev either) is never a feature,
it is a security hole.

Actually, should we not file security bugs against everything that comes
configured to mount removable filesystems out-of-the box and does so without
specifying nodev, nosuid ?

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh