Re: avahi-daemon

To: debian-security@lists.debian.org
Subject: Re: avahi-daemon
From: Henrique de Moraes Holschuh <hmh@debian.org>
Date: Fri, 3 Mar 2006 15:27:35 -0300
Message-id: <[🔎] 20060303182735.GB704@khazad-dum.debian.net>
In-reply-to: <[🔎] 20060303175122.GC22267@bee.dooz.org>
References: <43FC8BE6.5040902@gmx.net> <20060222165940.GP17596@linuxmafia.com> <20060223110450.GA4991@javifsp.no-ip.org> <[🔎] 20060302200627.GF6022@bee.dooz.org> <[🔎] 440815DB.5030307@gmx.net> <[🔎] 20060303133638.GO6022@bee.dooz.org> <[🔎] 20060303134756.GB11560@khazad-dum.debian.net> <[🔎] 20060303140934.GJ9733@mathom.us> <[🔎] 20060303142056.GC11560@khazad-dum.debian.net> <[🔎] 20060303175122.GC22267@bee.dooz.org>

On Fri, 03 Mar 2006, Loïc Minier wrote:
> On Fri, Mar 03, 2006, Henrique de Moraes Holschuh wrote:
> > True.  But that requires a broken kernel, which we patch regularly as a
> > security procedure anyway.  Mounting removable filesystems suid,dev allow a
> > lot more damage *by design* in the standard Linux security-model.
> 
>  And we also support avahi security-wise, and would patch it in the case
>  of a knwon vulnerability.

Nobody ever implied that avahi is badly maintained.  And unless mdns/avahi
is somehow being shipped configured in such a way so as to allow for
immediate local root priviledge escalations, I don't think I understood the
point you wanted to make.

I stated that the fact that an hipotetic kernel bug *also* allows for local
root exploits through a nosuid,nodev removable filesystem does *not* excuse
us to have removable filesystems being mounted suid,dev, which depending on
the filesystem type allows for immediate local root privilege escalation,
*by* *design*.

> Current Earth status:   NOT DESTROYED
How fortunate, that ;-)

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Reply to:

Follow-Ups:
- Re: avahi-daemon
  - From: Loïc Minier <lool+debian@via.ecp.fr>

References:
- Re: avahi-daemon
  - From: Loïc Minier <lool+debian@via.ecp.fr>
- Re: avahi-daemon
  - From: aliban <aliban@gmx.net>
- Re: avahi-daemon
  - From: Loïc Minier <lool+debian@via.ecp.fr>
- Re: avahi-daemon
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: avahi-daemon
  - From: Michael Stone <mstone@debian.org>
- Re: avahi-daemon
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: avahi-daemon
  - From: Loïc Minier <lool+debian@via.ecp.fr>

Prev by Date: Bonk vulnerability!
Next by Date: Re: avahi-daemon
Previous by thread: Re: avahi-daemon
Next by thread: Re: avahi-daemon
Index(es):
- Date
- Thread