On Thu, 2012-03-01 at 00:17 +0100, Lennart Poettering wrote: > On Wed, 29.02.12 17:51, Simo Sorce (simo@xxxxxxxxxx) wrote: > > > On Wed, 2012-02-29 at 10:09 -0700, Chris Murphy wrote: > > > On Feb 29, 2012, at 5:15 AM, drago01 wrote: > > > > > > > On Wed, Feb 29, 2012 at 1:02 PM, Neal Becker <ndbecker2@xxxxxxxxx> wrote: > > > >> I think he's got a point > > > >> > > > >> http://www.osnews.com/story/25659/Torvalds_requiring_root_password_for_mundane_things_is_quot_moronic_quot_ > > > > > > > > > > My example is mDNS being blocked in the Firewall by default *and* it requires a root password to unblocked it. Completely retarded. > > > > Except that mDNS is a real security issue (because you can hijack name > > resolution quite easily with it). > > Can you? How so? > > Sure, you can muck with the .local domain, since that's the mDNS domain, > but hey, if you are stupid enough to trust the .local domain in insecure > networks, then it is your own fault, as the suffix ".local" kinda comes > with this big implied label of "HEY! THIS DOMAIN IS RESOLVED FROM DATA > MULTICASTED ON THE LOCAL LINK". Yeah unfortunately there are a ton of sites that use the .local suffix for their local domain for example. Some predate mDNS hijacking of it for 'untrusted local stuff'. Also you should really define 'You' here. Because the issue is that mDNS in Fedora is inserted by default in the hosts database and IIRC before DNS, so it get a chance to always reply before a DNS query is made. This of course makes sense for its uses, why ask the DNS if you know this is a .local name that the DNS should not know about ? But most applications do not treat random host names in any special way, so it is hard to cast blame or stupidity on an application developer for not checking the suffix of the host name they are connecting to. All that said I am not casting any blame, just saying why disabling it is not just a stupid idea but have a reason. We may not agree with the reason or consider it an over-reaction to the threat or whatever other consideration. That's a separate discussion I think. Simo. -- Simo Sorce * Red Hat, Inc * New York -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
