John Harris wrote: > It also prevents one from running software, open to the world, by accident, > whether that means piping a script to bash Please elaborate. Where does the script come from, what exactly happens by accident, and how would a packet filter stop it? > badly written scripts, poorly written user software A badly written script accidentally starts some network service that it doesn't need? The one time that actually happens, the user will likely click "allow" without thinking, as they will have been accustomed to doing so all the time. If the script actually needs to listen on the network, then the user will have to allow it, and the script is no less badly written than it was before. > and > vulnerabilities in software, to name a few of the things that might bind a > port without the user knowing immediately. How would a "vulnerability" "bind a port"? If the program is supposed to communicate, then it will be allowed, and any vulnerabilities it has are then exposed to the network. If it's not supposed to communicate, then it won't randomly sprout a network service because of a bug. If you mean that an arbitrary code execution vulnerability has been exploited, so that the program is now executing the attacker's code, then it's already too late. The attack code won't listen for incoming connections. It will make an outgoing connection to its master. And in case you're considering requiring permission even for outgoing connections – which would be unbearable to the user – the attack code would just make an API call (through Dbus or whatever) to grant itself permission to communicate. You need to present some much more detailed and thought-through scenarios if you want to make a compelling argument. Björn Persson
Attachment:
pgpyUxELDzUD9.pgp
Description: OpenPGP digital signatur
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
