On Tue, Aug 27, 2019 at 12:28:33AM -0600, Chris Murphy wrote: > Anyway, it would be nice to get the security team's input on this. As the security team currently does not have any meetings that I know of I'll try to answer this from my point of view. In my opinion this is a very difficult question, because it either puts a lot more load on the package maintainers (in case you go for "postinstall scripts open up required ports") or on the users (if you go for "user has to open up ports") Both option have their disadvantages - in the case of "maintainer opens ports" the ports are open as soon as the package gets installed, and software not run/installed via package manager will give the impression of "just not working". In case of "users open ports" there is the problem of "stuff doesn't work on fedora", if the particular user doesn't understand the concept of firewalls or doesn't know where to fix it. If the user does know about firewalls, the respective port usually still stays open, even if that software is being uninstalled. For both "non-packaged program needs an open port" and "user doesn't know a lot about firewalls" you'd need a mechanism to detect connection attempts and querying the user about it. Implementing such a mechanism requires switching to an application based firewall. Also a firewall is not that much protection as it looks like - imagine any port (above 1024) which was opened on the firewall (either by maintainer or user), but where no program is listening on. The additional barrier to run e.g. a c&c server on that machine would just be an additional portscan in before deploying the malware. As the issue of "users piping stuff through wget/curl to sh/bash" also was mentioned: In such a case any firewall won't help, as outbound connection usually are not filtered - also those tend to run on port 80/443 anyways, which usually is open even in heavily filtered networks. If there is a switch to "default reject" it is also very important that the process to open up a port is easier than to disable the firewall completely or injecting an "accept anything" rule. (e.g. by documenting how to open ports in the installation instructions) This does not solve the "port stays open if not used" problem, but at least it's one step. ~ David
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
