Re: Torvalds:requiring root password for mundane things is moronic

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 29.02.12 18:27, Simo Sorce (simo@xxxxxxxxxx) wrote:

> On Thu, 2012-03-01 at 00:17 +0100, Lennart Poettering wrote:
> > On Wed, 29.02.12 17:51, Simo Sorce (simo@xxxxxxxxxx) wrote:
> > 
> > > On Wed, 2012-02-29 at 10:09 -0700, Chris Murphy wrote:
> > > > On Feb 29, 2012, at 5:15 AM, drago01 wrote:
> > > > 
> > > > > On Wed, Feb 29, 2012 at 1:02 PM, Neal Becker <ndbecker2@xxxxxxxxx> wrote:
> > > > >> I think he's got a point
> > > > >> 
> > > > >> http://www.osnews.com/story/25659/Torvalds_requiring_root_password_for_mundane_things_is_quot_moronic_quot_
> > > > > 
> > > > 
> > > > My example is mDNS being blocked in the Firewall by default *and* it requires a root password to unblocked it. Completely retarded.
> > > 
> > > Except that mDNS is a real security issue (because you can hijack name
> > > resolution quite easily with it).
> > 
> > Can you? How so?
> > 
> > Sure, you can muck with the .local domain, since that's the mDNS domain,
> > but hey, if you are stupid enough to trust the .local domain in insecure
> > networks, then it is your own fault, as the suffix ".local" kinda comes
> > with this big implied label of "HEY! THIS DOMAIN IS RESOLVED FROM DATA
> > MULTICASTED ON THE LOCAL LINK".
> 
> Yeah unfortunately there are a ton of sites that use the .local suffix
> for their local domain for example. Some predate mDNS hijacking of it
> for 'untrusted local stuff'.

Well, I don't consider this really that much of a *security*
issue. Unicast DNS domains called ".local" are made entirely unavailable
if mDNS is used, which is the default on MacOS and Linux. I am sure
there are still setups which use .local in unicast domains, but things
are not really primarily insecure for them, but they are *entirely
broken* for them. That's a completely different quality.

> Also you should really define 'You' here. Because the issue is that mDNS
> in Fedora is inserted by default in the hosts database and IIRC before
> DNS, so it get a chance to always reply before a DNS query is made. This
> of course makes sense for its uses, why ask the DNS if you know this is
> a .local name that the DNS should not know about ?

The NSS module is authoritative for .local and .local only. It will not
respond for host lookups outside this domains, and hence cannot be used
to muck around with anything outside the mDNS domain .local. You cannot
override normal unicast host names via multicast.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux