On Fri, 19.08.11 11:03, Steve Grubb (sgrubb@xxxxxxxxxx) wrote: > > On Friday, August 19, 2011 10:50:51 AM Richard Hughes wrote: > > On 19 August 2011 13:35, Steve Grubb <sgrubb@xxxxxxxxxx> wrote: > > > All security guidance says turn off or get rid of avahi. We really don't > > > want to require it just to print. > > > > Then "security" is flying in the face of usability. > > Generally there is that tension. The main objections is that it makes discovering > system resources easy, which in terms of security is bad. It also used to punch a hole > in the firewall and add routing rules. All of this is bad for security. If you are > catering to a laptop crowd that wants to share music and pictures then avahi is no > concern. > > If however you want a secure by default server OS, then avahi needs to default to > disabled. The concern is when its allowed by default, then people might start relying > on it to the extent that its impossible to remove later. For example, cups is used as > part of the LSPP certification. People running in a LSPP configuration would be horrified > to know avahi is now required for printing top secret documents. Well, I think Fedora is more interested in real-life users than synthetic certifications. Also, running Avahi is probably a lot safer than CUPS. Don't forget that Avahi is pretty much the only service in a default Fedora install that chroot()s by default. On top of that it drops privileges and uses capabilities and resource limits to minimize what it can do. It has been doing pretty elaborate privilege separation since shortly after its inception. It has been doing that since a long long time, much longer than almost any other standard component of our Linux system. In fact I am always a bit disapointed that it still is the only default component that chroot()s. (Oh wait, there's another one now, rtkit, written by the same smart guy). CUPS otoh runs with root privileges, no chroot, no dropped capabilities. If you manage to exploit CUPS you own the system. If you manage to exploit Avahi you are trapped in an unprivileged chroot container, with no ability to even create a file. By disabling the native service discovery protocol in CUPS and moving that into Avahi you hence get a substantial security benefit, not a loss of security. Lennart -- Lennart Poettering - Red Hat, Inc. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
