The package maintainer has a point that an mDNS daemon would be pretty
pointless if it only bound to lo. I think it is more the
responsibility of the administrator to know what is going on his
system. If you are so worried about security, then why not check out
those NINE new Avahi packages when apt says they are going to be
installed? If you miss it there, it is very prominently displayed on
startup that the Avahi daemon is starting. Oh noes! I'd better stop
that and figure out exactly what it is. If you interested in a
security report on Avahi, Ubuntu has one here.
https://wiki.ubuntu.com/MainInclusionReportAvahi
This is a service aimed at desktop use. If you're worried about it
getting installed on a server, then you shouldn't be installing a
music player on it either. You're contradicting yourself on your
levels of paranoia.
On 2/22/06, aliban [EMAIL PROTECTED] wrote:
Hi,
as the package maintainer seems to ignore my complaint I forward the
discussion to debian-user mailing list.
On debian testing the rhythmbox suggested to install the avahi-daemon that
listens on all interfaces by default.
I think this kind of install behaviour is insecure even if the package
maintainer does not agree.
In short I think: even if the user should know what he is doing when he
updates his system it is not a secure design for packages to start listening
on all interfaces by default without prompting AND warning the user. It is
not sufficient to mention this behaviour somewhere in the package description
as many packages come as a dependency or as a suggested package; users wont
read every package description of every package they install, especially if
they come as a suggested package or dependency.
best regards.
Sjoerd Simons schrieb:
On Mon, Feb 20, 2006 at 11:22:29PM +0100, Aliban wrote:
Package: avahi-daemon
Version: 0.6.6-1
Severity: normal
I don't know why this pkg was installed in my testing. For
sure I did not
install it directly, maybe it was some strange dependency
from something?
No strange dependencies. You probably got it because rhythmbox
recommends it.
Yes, I think that was the reason.
Anyway, this thing listens on all interfaces by default. I
think this design
is insecure. It should bind to localhost only (ok, this might
not make sense
for such a service) OR it should ask the user for the
interfaces it binds to.
Uhm, yeah, well, an mDNS daemon that only listens on lo is completely
useless.
If you would looked a little bit further you might have seen that the
daemon
runs as a unprivileged user, version 0.6.6-2 of the package even runs
in a
minimal chroot environment, so it's actually quite secure by design.
I don't doubt that it has a quite secure design. Anyway, as soon as
something starts listening on the network this is a potential security
hole. In contrast to applications that are only contacting the internet
on user's demand (in example a webbrowser, email client or instant
messenger) this thing is always on and not depending on additional user
interaction, therefore it is a different level of 'taking care'.
Please change the installer's behaviour.
If you don't want it, purge it from your system. Afaik everything
that doesn't
directly need it only recommends it. Closing this bug
Sjoerd
I did not have problems to remove it from the system, I just wonder why
something gets installed and opens a port and starts listening to all
interfaces without asking me, esspecially if I did not directly ask for
this program. Do you really expect all users to read every line of every
program description? When you install Adobe or Java from sun, did you
read every single word in the license? Would you like it if Adobe just
opens some 'obscure' service listening on all interfaces?
Of course it does not make sense to install this daemon and listen only
on local host. Maybe the maybe the recommending should be removed but
this is another thing...
Anyway, all I think is that users should be prompted (in example as
portmap does it).
I suggest you add something like xyz is a service that does blah blah,
... For most users this service should bind only to a local area network
and not to the internet. (If you need this service at all) Do you want
to bind to all interface? - with no as default!
I would be very happy if you can add such a thing.
What do you think?
Edrin
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a
subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]