Re: is it ok to listen on a localhost port for tests during build time?

To: debian-devel@lists.debian.org
Subject: Re: is it ok to listen on a localhost port for tests during build time?
From: Tollef Fog Heen <tfheen@err.no>
Date: Sun, 06 Dec 2009 11:56:37 +0100
Message-id: <[🔎] 87ws10cqvu.fsf@qurzaw.linpro.no>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 20091202220627.GC3044@mobee> (Serafeim Zanikolas's message of "Wed, 2 Dec 2009 23:06:27 +0100")
References: <[🔎] 20091202220627.GC3044@mobee>

]] Serafeim Zanikolas 

| The service supports no authorisation/authentication and, as of now, has no
| way of limiting the size of inserted messages. Would it be acceptable if I
| were to patch the tests to accept connections only from the localhost?
| (implies a potential risk of a local user attack)

What are the implications of a user inserting a message?  Test failing
where it should succeed?  DoS causing the build to fail?  DoS causing
the disk to fill up?  Local root exploit?  If it's just the build
failing, I think it's fine.  If it becomes a root exploit, it's
certainly not.

| From a robustness perspective, I could patch the tests to try several
| different port numbers if the default (11400) is not available.

This might be good, yes.

-- 
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are

Reply to:

Follow-Ups:
- Re: is it ok to listen on a localhost port for tests during build time?
  - From: Serafeim Zanikolas <serzan@hellug.gr>

References:
- is it ok to listen on a localhost port for tests during build time?
  - From: Serafeim Zanikolas <serzan@hellug.gr>

Prev by Date: Bug#559681: ITP: flapjack -- scalable and distributed monitoring system
Next by Date: Re: dh_config_model_upgrade: package upgrade with Config::Model
Previous by thread: is it ok to listen on a localhost port for tests during build time?
Next by thread: Re: is it ok to listen on a localhost port for tests during build time?
Index(es):
- Date
- Thread