[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: avahi-daemon


On Fri, Mar 03, 2006, aliban wrote:
> Can you please count the open ports on your system? Are there still
> telnet, timeserver, sunrpc ... waiting for connections?

 On my system?  nmap reports:
    53/tcp open  domain

 Some netstat digging shows:
 tcp        0      0    *
     LISTEN     18007/pdnsd
 udp        0      0  *

 And so what?  Do you want to proove me it listens on the network?
 That's by design, the point is to listen for queries.

> Why did you disable them?

 I didn't disable anything, I installed what I wanted.  I installed
 iptables and have set it up too.

> I am sure this was discussed several times in the past. Anyway, it is an
> open secret to better not connect your new installed debian to internet
> until you have switched down all these security-riscs (Btw. with new
> installed windows XP you should better not connect to the internet
> without activating a firewall first and updating your system because
> otherwise you will get infected with some worm within minutes... - I am
> sure Windows Vista will disable all listening services until the user
> turns them on or at least activate a firewall by default for internet
> access). I am sure most debian users and admins will say something like
> "But this is debian...", "Admin is responsible for security..." or "root
> must know what he is doing...".

 This is a desktop machine, it should permit sharing of files on your
 local network.  DNS servers have their port 53 open to respond to name
 resolution queries, just consider your desktop installation to be a
 name server responding to stuff such as "what services are available",
 "what shares are available" etc.

> I think this is a general security problem here. You are right,
> plug'n'play is cool thing the normal user want. But I also asume that
> this normal user wont be aware of this listening port, don't you think
> so?

 Do you have any other solution permitting the same functionalities, but
 without the listening port?  I'm listening to any suggestions.  BTW,
 this is a standard, that other software is adhering, such as Apple's
 iTunes.  Will your solution permit interoperability with iTunes?

>     Please count the open ports on your systems again... how many are
> there? Maybe samba, even maybe ssh and apache and maybe this avahi (that
> is not as known as the rest). I think it is justified to ask the
> user/admin to activate this avahi thing... I don't think the user's will
> get spamed with these kind of questions even if we would have this as a
> general rule.

 Sure, I'm fine with a debconf question permitting for example *not* to
 start avahi.  It's just that this question will only be visible for
 certain priorities (for example only for priority = low, or medium),
 and will default to enable avahi (as for other daemons, and so that it
 works out of the box).

 But you are doing nice in pointing at typical services running on a
 desktop machine:
 - apache2 (and will be even more common with gnome-suer-share and DAV
   file sharing)
 - samba

 Does any of these run chrooted like avahi does?  Samba even runs as
 root.  Which of samba or avahi has the power to change file ownership,
 permissions, or simply to serve sensible files such as /etc/shadow?

> People can have the avahi-feature anyway and I think asking *one* time a
> security related question would be a good thing. In addition to that
> unexperienced users will learn the general rule that an open port is a
> security risk!

 Sure, no problem.

> Better let a user explicitly activate it if he needs it. That
> application can suggest him to do so if the rhytmbox-power-user will
> press the button "browse for music"...

 Well, no: that's the opposite of plug'n'play.  See, if you're USB stick
 contains a malicious vfat file system, it gets automatically mounted
 nevertheless.  It's a feature.


Loïc Minier <lool@dooz.org>
Current Earth status:   NOT DESTROYED

Reply to: