Re: avahi-daemon

To: debian-security@lists.debian.org
Subject: Re: avahi-daemon
From: Matej Kovac <matej@pobox.sk>
Date: Fri, 3 Mar 2006 18:07:37 +0100
Message-id: <[🔎] 20060303170737.GA16257@bacon.telnet.sk>
In-reply-to: <43FC4A6C.9010801@gmx.net>
References: <43FC4A6C.9010801@gmx.net>

On Wed, Feb 22, 2006 at 12:26:36PM +0100, aliban wrote:
> Hi,
...
> 
> In short I think: even if the user "should know what he is doing" when he
> updates his system it is not a secure design for packages to start
> listening on all interfaces by default without prompting AND warning the
> user. It is not sufficient to mention this behaviour somewhere in the
> package description as many packages come as a dependency or as a
> suggested package; users wont read every package description of every
> package they install, especially if they come as a suggested package or
> dependency.
> 
I fully agree.

[Most replies deviated to concrete little things so I reply to
first mail]

What I see as a problem is just like Aliban writes: defaults /
behavior of avahi-daemon is questionable. Listening on all
interfaces by default, and without notice.

Although it might be secure, chrooted etc, there is at least one
legitimate reason for listening on local interface only: just to
install it, test configuration, may be to test configuration of
sharing or some other "networking" functionality, over local
interface only - and send config to someone. May be others.
Without exposing open ports for a second.

Another thing is that it is recomended by some packages and might
get installed and actually missed by admin. I know such admin
deserves a lesson; there should be other tools monitoring the
machine from inside as well as from outside and one should be
notified about new open port. Aliban got it and reported it.
I have to second his opinion, I think that administrator should
be at least warned that this package is going to be installed
and is going to listen on all interfaces. IMHO, the best choice
is to ask on which interfaces the daemon should listen on.

And don't tell me that if its chrooted its secure. There are far
more-often used programs that by default listen on local
interface only. These programs learned from their bugs. There is
[almost] no point in installing sshd on local interface only, as
well as to install sendmail or postfix on local interface only -
but it does have some legitimate use on local interface. If there
was no remote hole in avahi-daemon, all the honor to authors -
but I don't want to rely on it and would like to have listening
the daemon on local interface only (if it has to be listening at
all). It might be installed only because some of his files/libs
are required for otehr purpose - but in this case it should be
split in two packages - but what if some other one still
recomends or even depends on -daemon package?

Again, I see no reason for listening by default.

-- 
matej kovac
matej@pobox.sk

Reply to:

Prev by Date: Re: avahi-daemon
Next by Date: Re: avahi-daemon
Previous by thread: Re: avahi-daemon
Next by thread: CVE-2006-0883 - are we vuln?
Index(es):
- Date
- Thread