Re: avahi-daemon

To: Loïc Minier <lool+debian@via.ecp.fr>
Cc: debian-security@lists.debian.org
Subject: Re: avahi-daemon
From: aliban <aliban@gmx.net>
Date: Fri, 03 Mar 2006 11:09:31 +0100
Message-id: <[🔎] 440815DB.5030307@gmx.net>
In-reply-to: <[🔎] 20060302200627.GF6022@bee.dooz.org>
References: <43FC4A6C.9010801@gmx.net> <98a18b470602220411n4704cacg61cab8cae197e504@mail.gmail.com> <43FC60FC.7080001@gmx.net> <20060222143022.GE17249@bee.dooz.org> <43FC8BE6.5040902@gmx.net> <20060222165940.GP17596@linuxmafia.com> <20060223110450.GA4991@javifsp.no-ip.org> <[🔎] 20060302200627.GF6022@bee.dooz.org>

Hello,

>>Maintainers remember: it's much better to *not* install/activate a network
>>service than to have a service, even if it's chrooted, or running under lower
>>privileges (like the ahavi maintainers describe in
>>https://wiki.ubuntu.com/MainInclusionReportAvahi) which, BTW, is not that
>>common. The keyword here is 'exposure'.
>>    
>>
> The avahi-daemon is nicely chrooted, and runs under a different user.
> You just can't have the functionality of "plug'n'play" on a network
> without any central server without listening at some point to
> something...
>  
>
Can you please count the open ports on your system? Are there still
telnet, timeserver, sunrpc ... waiting for connections?
Why did you disable them?

I am sure this was discussed several times in the past. Anyway, it is an
open secret to better not connect your new installed debian to internet
until you have switched down all these security-riscs (Btw. with new
installed windows XP you should better not connect to the internet
without activating a firewall first and updating your system because
otherwise you will get infected with some worm within minutes... - I am
sure Windows Vista will disable all listening services until the user
turns them on or at least activate a firewall by default for internet
access). I am sure most debian users and admins will say something like
"But this is debian...", "Admin is responsible for security..." or "root
must know what he is doing...".
I think this is a general security problem here. You are right,
plug'n'play is cool thing the normal user want. But I also asume that
this normal user wont be aware of this listening port, don't you think
so? Please count the open ports on your systems again... how many are
there? Maybe samba, even maybe ssh and apache and maybe this avahi (that
is not as known as the rest). I think it is justified to ask the
user/admin to activate this avahi thing... I don't think the user's will
get spamed with these kind of questions even if we would have this as a
general rule.

People can have the avahi-feature anyway and I think asking *one* time a
security related question would be a good thing. In addition to that
unexperienced users will learn the general rule that an open port is a
security risk!

>>Really, do *almost all* rhythmbox users need to share music (and consequentely need
>>ahavi)? 
>>    
>>
> That's not the point, the point is to make it easy to do so.  And yes,
> a lot of users share music between computers.  Those people want that
> to be simple.  You can't cut every feature out because only 10% of the
> users use it.
>
> It's not like you're running Rhythmbox on a firewall, and iptables is
> still there, you can remove avahi, you can configure it not to start
> etc.
>
Better let a user explicitly activate it if he needs it. That
application can suggest him to do so if the rhytmbox-power-user will
press the button "browse for music"...



regards

Reply to:

Follow-Ups:
- Re: avahi-daemon
  - From: Loïc Minier <lool+debian@via.ecp.fr>

References:
- Re: avahi-daemon
  - From: Loïc Minier <lool+debian@via.ecp.fr>

Prev by Date: Re: first A record of security.debian.org extremely slow
Next by Date: Re: first A record of security.debian.org extremely slow
Previous by thread: Re: avahi-daemon
Next by thread: Re: avahi-daemon
Index(es):
- Date
- Thread