Re: Networking and the firewall (Was Re: Isn't it time for the encrypted file system???)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



David Zeuthen wrote:
On Tue, 2006-03-28 at 09:51 +0200, Alexander Larsson wrote:
I must say I'm slightly bothered by the "lets have the apps punch holes
in the firewall" approach. If any app can open holes in the firewall,
what use is the firewall then? It will only be protecting ports that no
application is listening too.

Sure, of course, we need auth from the user (ask them to put in their
own password or the root password [1]) to open the hole as Alan says.
Just allowing any app to open arbitrary ports would be a security hole.

We might need some fixes both kernel- and g-u-s-side too to make this
work in a secure way; e.g. reuse same port number next time; only
allow /usr/bin/httpd to bind to that port etc etc

I must say.. I'm slightly annoyed by the fact that we put in a feature
like g-u-s and just don't fix this and expect the user to Google his way
out of this. We already know that the only way to fix this right now is
to turn off the firewall. Not very cool.
Can someone please look at this for FC6? And at the same time make sure
the Banshee and Rhythmbox's of the world can use this feature too? Maybe
even push an API
    David

[1] : the PolicyKit stuff I'm working on will make this much easier
though it will require the firewall to export a system-level service to
allow punching holes...

Should also be wrapped in SELinux to make sure some random app does not ask for this. If I am a user and NetworkManager pops a window saying somethine like "In order to run correctly I need your computer to turn purple, and run the Hypervizor at Warp 3" I am going to answer the question, "Yes"

So only apps with  a security policy should even be able to do this.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Alexander Larsson Red Hat, Inc alexl@xxxxxxxxxx alla@xxxxxxxxxxxxxx He's a short-sighted amnesiac filmmaker from a doomed world. She's a supernatural hip-hop safe cracker fleeing from a Satanic cult. They fight crime!
--
Fedora-maintainers mailing list
Fedora-maintainers@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-maintainers

--
Fedora-maintainers mailing list
Fedora-maintainers@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-maintainers


[Index of Archives]     [Fedora Users]     [Fedora Development]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]

  Powered by Linux