On Fri, Aug 17, 2007 at 12:24:27AM +0200, Izak Burger wrote: > On 8/16/07, Jack T Mudge III <jakykong@theanythingbox.com> wrote: > > My personal view is that there are plenty of simpler distributions out there, > > knoppix for first-time users, Ubuntu/Suse for novices, and RedHat for people > > who need hand-holding. Debian is primarily for advanced users, and for users > > who have someone looking over their shoulder. We shouldn't over-simplify > > debian so that users not in it's target audience can use it. > > I like your viewpoint. I was just trying to remember exactly what is > open to the world on a brand new ubuntu installation, but I haven't > done a new install in a while so this is up to memory. I know there > is no MTA. There is also no sshd or portmap. Not even an inetd. It > will however respond if you ping it. Now THAT is the sort of thing I > like. Secure out of the box. You'll find that a simple default Debian installation of etch is not really that exposed: - exim MTA configured to loopback only - portmap installed, open to the world, but can be configured for loopback only - identd installed, but with no services which makes it not run at all (unless you install some other inetd services that is). - sshd (server) not installed by default Portmap is needed for NFS support out of the box and, IIRC, for GNOME's fam but can easily be configured to be loopback-only. Ubuntu decided on a "no open ports" policy [0] in their first releases (which was a very good choice, if you ask me). They did *not* drop portmap initially (FAM depended on it) but they made it not listen to the network as the user segment they were catering for (desktop-oriented users) doesn't need or use NFS, at least not all of them (see [1] https://bugs.launchpad.net/ubuntu/+source/portmap/+bug/50558). Also, in earlier releases (5.x) an MTA (Postfix) was included. Later releases (6.06) dropped portmap altogether. But the latest release (6.10) [2] installs Avahi (mDNS) open to the world, they decided to do this due to the features it provided (Zeroconf) and after making sure it had been properly audited. However, there have been more Avahi vulnerabilities (3 DoS and 1 remote BoF since 2006) than there have been in Wietse Venema's portmap's (1 DOS vulnerability in 1998). I do not want to get into a flamewar on who's more secure, those are just the facts. I just want to show how design decisions affect the selection of the default install software. Debian caters to a larger population than Ubuntu's which means that Ubuntu developers can be more restrictive on what they put on the default installation. BTW, The reason that Debian's portmap can now be bound only to the loopback interface in Desktop environments (if configured to do so) is that we merged in a patch from Ubuntu that did this precisely. Regards, Javier [0] https://wiki.ubuntu.com/DefaultNetworkServices [1] https://bugs.launchpad.net/ubuntu/+source/portmap/+bug/50558 [2] https://help.ubuntu.com/community/HowToZeroconf
Attachment:
signature.asc
Description: Digital signature