On Tue, 2006-03-28 at 09:51 +0200, Alexander Larsson wrote:
> I must say I'm slightly bothered by the "lets have the apps punch holes
> in the firewall" approach. If any app can open holes in the firewall,
> what use is the firewall then? It will only be protecting ports that no
> application is listening too.
Sure, of course, we need auth from the user (ask them to put in their
own password or the root password [1]) to open the hole as Alan says.
Just allowing any app to open arbitrary ports would be a security hole.
We might need some fixes both kernel- and g-u-s-side too to make this
work in a secure way; e.g. reuse same port number next time; only
allow /usr/bin/httpd to bind to that port etc etc
I must say.. I'm slightly annoyed by the fact that we put in a feature
like g-u-s and just don't fix this and expect the user to Google his way
out of this. We already know that the only way to fix this right now is
to turn off the firewall. Not very cool.
Can someone please look at this for FC6? And at the same time make sure
the Banshee and Rhythmbox's of the world can use this feature too? Maybe
even push an API
David
[1] : the PolicyKit stuff I'm working on will make this much easier
though it will require the firewall to export a system-level service to
allow punching holes...
>
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> Alexander Larsson Red Hat, Inc
> alexl@xxxxxxxxxx alla@xxxxxxxxxxxxxx
> He's a short-sighted amnesiac filmmaker from a doomed world. She's a
> supernatural hip-hop safe cracker fleeing from a Satanic cult. They fight
> crime!
>
> --
> Fedora-maintainers mailing list
> Fedora-maintainers@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-maintainers
