FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Development

 
 
LinkBack Thread Tools
 
Old 03-03-2011, 10:19 AM
Julien BLACHE
 
Default Disable ZeroConf: how to ?

Tollef Fog Heen <tfheen@err.no> wrote:

Hi,

> Except zeroconf isn't routed so to be able to exploit it you need to be
> on the same physical segment?

mDNS traffic can actually be relayed, but this requires setting up a
relay daemon on the gateway(s).

Quite useful when done properly.

JB.

--
Julien BLACHE - Debian & GNU/Linux Developer - <jblache@debian.org>

Public key available on <http://www.jblache.org> - KeyID: F5D6 5169
GPG Fingerprint : 935A 79F1 C8B3 3521 FD62 7CC7 CD61 4FD7 F5D6 5169


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 87pqq8bgep.fsf@sonic.technologeek.org">http://lists.debian.org/87pqq8bgep.fsf@sonic.technologeek.org
 
Old 03-03-2011, 10:22 AM
Lars Wirzenius
 
Default Disable ZeroConf: how to ?

On to, 2011-03-03 at 11:54 +0100, Klaus Ethgen wrote:
> Am Do den 3. Mär 2011 um 11:25 schrieb Tollef Fog Heen:
> > Then just don't use it? Nobody is forcing you to.
> [...]
> > | And even if you not care about, then that functionality should be
> > | explicit configured and not per default.
> >
> > That makes it much less useful. On the other hand, it's not like your
> > system will suddenly go around connecting to random services just
> > because it sees them announced.
>
> So you contradict yourself within two paragraphs. It makes it less
> useful to enable it only on manual intervention (say, it should be
> enabled automatic) but on the other hand you say that nobody is forcing
> me (or others) to use it. How do that plays together?

I don't see a contradiction between "nobody is forced to use zeroconf"
and "zeroconf is less useful if it has to be enabled manually". The fact
that zeroconf is enabled by default on the GNOME desktop does not make
it mandatory for everyone to use. (Yes, it would be nice if there were
an easy way to disable it.)

However, could we please end the FUDfest? This thread seems to be quite
unconstructive, with unspecific claims of security problems, unwarranted
slurs on users based on their operating system, and accusations on
Debian developer's attitudes. If there is an actual problem, explain
what it is, and suggest a solution. Be specific. Avoid hyperbole and
vague generalities. Do not insult. Write few mails, but put effort into
each one. If others don't agree with you, possibly you are unclear and
they are not stupid or evil: rephrase and expand and ask questions, and
don't get frustrated.



--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 1299151335.2561.17.camel@tacticus">http://lists.debian.org/1299151335.2561.17.camel@tacticus
 
Old 03-03-2011, 10:33 AM
Sujit Karatparambil
 
Default Disable ZeroConf: how to ?

> However, could we please end the FUDfest? This thread seems to be quite
> unconstructive, with unspecific claims of security problems, unwarranted
> slurs on users based on their operating system, and accusations on
> Debian developer's attitudes. If there is an actual problem, explain

I totally agree, it is certainly not wise to accuse/allege/propgate fud.
I also think it is much better to look for articles on the internet that
might help you better understand. As with opensource it is very difficult
to maintain a document for a long period of time. But certainly usefull
as pointer to usefull information into the manpages. Though I am not an
expert of ZeroConf but found a usefull article into zeroconf. I am much more
an Avahi fan than an ZeroConf fan.

http://www.practicallynetworked.com/sharing/configure_and_use_avahi_and_linux.htm


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: AANLkTikC2z4-3c9QhBVDYbvsJyNc6yd6KOfK2OpSmbNH@mail.gmail.com">h ttp://lists.debian.org/AANLkTikC2z4-3c9QhBVDYbvsJyNc6yd6KOfK2OpSmbNH@mail.gmail.com
 
Old 03-03-2011, 10:45 AM
Bastien ROUCARIES
 
Default Disable ZeroConf: how to ?

On Thu, Mar 3, 2011 at 12:22 PM, Lars Wirzenius <liw@liw.fi> wrote:
> On to, 2011-03-03 at 11:54 +0100, Klaus Ethgen wrote:
>> Am Do den *3. Mär 2011 um 11:25 schrieb Tollef Fog Heen:
>> > Then just don't use it? *Nobody is forcing you to.
>> [...]
>> > | And even if you not care about, then that functionality should be
>> > | explicit configured and not per default.
>> >
>> > That makes it much less useful. *On the other hand, it's not like your
>> > system will suddenly go around connecting to random services just
>> > because it sees them announced.
>>
>> So you contradict yourself within two paragraphs. It makes it less
>> useful to enable it only on manual intervention (say, it should be
>> enabled automatic) but on the other hand you say that nobody is forcing
>> me (or others) to use it. How do that plays together?
>
> I don't see a contradiction between "nobody is forced to use zeroconf"
> and "zeroconf is less useful if it has to be enabled manually". The fact
> that zeroconf is enabled by default on the GNOME desktop does not make
> it mandatory for everyone to use. (Yes, it would be nice if there were
> an easy way to disable it.)
>
> However, could we please end the FUDfest? This thread seems to be quite
> unconstructive, with unspecific claims of security problems, unwarranted
> slurs on users based on their operating system, and accusations on
> Debian developer's attitudes. If there is an actual problem, explain
> what it is, and suggest a solution.

main security problem is resolver,
$host -v www.local
www.local
www.local.mydomain.com

see security issue in draft paper also in case
http://tools.ietf.org/html/draft-cheshire-dnsext-multicastdns-08

more important:
phpmyadmin package have created a link in /etc/avahi/services without
any question. Everybody know in my network that I have a phpadmin
service running on my server. I will ASAP create a bug report with a
security tag.

Bastien


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: AANLkTikeZVy0EtUVdfw0MPUBagWgA5dhjxVm-Q2_V9O3@mail.gmail.com">http://lists.debian.org/AANLkTikeZVy0EtUVdfw0MPUBagWgA5dhjxVm-Q2_V9O3@mail.gmail.com
 
Old 03-03-2011, 10:47 AM
Bastien ROUCARIES
 
Default Disable ZeroConf: how to ?

On Thu, Mar 3, 2011 at 12:33 PM, Sujit Karatparambil
<sujit.kmadhavan@gmail.com> wrote:
>> However, could we please end the FUDfest? This thread seems to be quite
>> unconstructive, with unspecific claims of security problems, unwarranted
>> slurs on users based on their operating system, and accusations on
>> Debian developer's attitudes. If there is an actual problem, explain
>
> I totally agree, it is certainly not wise to accuse/allege/propgate fud.
> I also think it is much better to look for articles on the internet that
> might help you better understand. As with opensource it is very difficult
> to maintain a document for a long period of time. But certainly usefull
> as pointer to usefull information into the manpages. Though I am not an
> expert of ZeroConf but found a usefull article into zeroconf. I am much more
> an Avahi fan than an ZeroConf fan.
>
> http://www.practicallynetworked.com/sharing/configure_and_use_avahi_and_linux.htm

some package announce their existance to the world without any admin decision!
It is not a fud and a security hole!
>phpmyadmin package have created a link in /etc/avahi/services without
>any question. Everybody know in my network that I have a phpadmin
>service running on my server. I will ASAP create a bug report with a
> security tag.
>


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: AANLkTinkQ=Q8wX45zbODT7WqUwX2OqjX_y5W-X-aJT2y@mail.gmail.com">http://lists.debian.org/AANLkTinkQ=Q8wX45zbODT7WqUwX2OqjX_y5W-X-aJT2y@mail.gmail.com
 
Old 03-03-2011, 11:16 AM
Lars Wirzenius
 
Default Disable ZeroConf: how to ?

On to, 2011-03-03 at 12:47 +0100, Bastien ROUCARIES wrote:
> some package announce their existance to the world without any admin decision!
> It is not a fud and a security hole!

That's a vague generality... which packages? You mentioned phpmyadmin.
What are the actual problems that results from this announcement? What
bad things happen from it? Can the fact that you have phpmyadmin become
known to an attacker via port scanning, or similar techniques? If so,
does it matter if phpmyadmin also announces things via avahi? What do
you suggest as a solution? Would a blanket policy of having all services
to default to not announce themselves? What would the problems from such
a policy be?

(I don't know much about this stuff, and I don't particularly care, but
it'd be nice if we could turn the discussion into a constructive one.)



--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 1299154617.2561.23.camel@tacticus">http://lists.debian.org/1299154617.2561.23.camel@tacticus
 
Old 03-03-2011, 11:31 AM
Olaf van der Spek
 
Default Disable ZeroConf: how to ?

On Thu, Mar 3, 2011 at 1:16 PM, Lars Wirzenius <liw@liw.fi> wrote:
> On to, 2011-03-03 at 12:47 +0100, Bastien ROUCARIES wrote:
>> some package announce their existance to the world without any admin decision!
>> It is not a fud *and a security hole!
>
> That's a vague generality... which packages? You mentioned phpmyadmin.
> What are the actual problems that results from this announcement? What
> bad things happen from it? Can the fact that you have phpmyadmin become
> known to an attacker via port scanning, or similar techniques? If so,
> does it matter if phpmyadmin also announces things via avahi? What do
> you suggest as a solution? Would a blanket policy of having all services
> to default to not announce themselves? What would the problems from such
> a policy be?
>
> (I don't know much about this stuff, and I don't particularly care, but
> it'd be nice if we could turn the discussion into a constructive one.)

Windows has the concept of home / private and public networks. On
public networks, sharing gets disabled.
Such a concept would be good for this situation as well. Let the user
indicate what type of network he is on and what type of services
should be opened to that network.

Olaf


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: AANLkTinTbSLqb6ErtkOAB3ULXsX+WWjJEmxK-LXe9ns9@mail.gmail.com">http://lists.debian.org/AANLkTinTbSLqb6ErtkOAB3ULXsX+WWjJEmxK-LXe9ns9@mail.gmail.com
 
Old 03-03-2011, 11:43 AM
Bastien ROUCARIES
 
Default Disable ZeroConf: how to ?

On Thu, Mar 3, 2011 at 1:31 PM, Olaf van der Spek <olafvdspek@gmail.com> wrote:
> On Thu, Mar 3, 2011 at 1:16 PM, Lars Wirzenius <liw@liw.fi> wrote:
>> On to, 2011-03-03 at 12:47 +0100, Bastien ROUCARIES wrote:
>>> some package announce their existance to the world without any admin decision!
>>> It is not a fud *and a security hole!
>>
>> That's a vague generality... which packages? You mentioned phpmyadmin.
>> What are the actual problems that results from this announcement? What
>> bad things happen from it? Can the fact that you have phpmyadmin become
>> known to an attacker via port scanning, or similar techniques? If so,
>> does it matter if phpmyadmin also announces things via avahi? What do
>> you suggest as a solution? Would a blanket policy of having all services
>> to default to not announce themselves? What would the problems from such
>> a policy be?
>>
>> (I don't know much about this stuff, and I don't particularly care, but
>> it'd be nice if we could turn the discussion into a constructive one.)
>
> Windows has the concept of home / private and public networks. On
> public networks, sharing gets disabled.
> Such a concept would be good for this situation as well. Let the user
> indicate what type of network he is on and what type of services
> should be opened to that network.

The last bug is not about this, it is I have a phpmyadmin running as
www user and I announce I run it.

Not really good to give the path to phpmyadmin (that is running by
admin decission)

Bastien

> Olaf
>
>
> --
> To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: http://lists.debian.org/AANLkTinTbSLqb6ErtkOAB3ULXsX+WWjJEmxK-LXe9ns9@mail.gmail.com
>
>


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: AANLkTimNDs4CcgJvYxqr_jMcDHAKrpF7DxY=Cm3NLwGb@mail .gmail.com">http://lists.debian.org/AANLkTimNDs4CcgJvYxqr_jMcDHAKrpF7DxY=Cm3NLwGb@mail .gmail.com
 
Old 03-03-2011, 12:35 PM
Mike Hommey
 
Default Disable ZeroConf: how to ?

On Thu, Mar 03, 2011 at 01:43:19PM +0100, Bastien ROUCARIES wrote:
> On Thu, Mar 3, 2011 at 1:31 PM, Olaf van der Spek <olafvdspek@gmail.com> wrote:
> > On Thu, Mar 3, 2011 at 1:16 PM, Lars Wirzenius <liw@liw.fi> wrote:
> >> On to, 2011-03-03 at 12:47 +0100, Bastien ROUCARIES wrote:
> >>> some package announce their existance to the world without any admin decision!
> >>> It is not a fud *and a security hole!
> >>
> >> That's a vague generality... which packages? You mentioned phpmyadmin.
> >> What are the actual problems that results from this announcement? What
> >> bad things happen from it? Can the fact that you have phpmyadmin become
> >> known to an attacker via port scanning, or similar techniques? If so,
> >> does it matter if phpmyadmin also announces things via avahi? What do
> >> you suggest as a solution? Would a blanket policy of having all services
> >> to default to not announce themselves? What would the problems from such
> >> a policy be?
> >>
> >> (I don't know much about this stuff, and I don't particularly care, but
> >> it'd be nice if we could turn the discussion into a constructive one.)
> >
> > Windows has the concept of home / private and public networks. On
> > public networks, sharing gets disabled.
> > Such a concept would be good for this situation as well. Let the user
> > indicate what type of network he is on and what type of services
> > should be opened to that network.
>
> The last bug is not about this, it is I have a phpmyadmin running as
> www user and I announce I run it.
>
> Not really good to give the path to phpmyadmin (that is running by
> admin decission)

Zeroconf announce doesn't make it less secure, it makes it slightly more
discoverable, but not significantly so.

Conversely, believing that not announcing through zeroconf is more
secure is probably good for your self confidence but doesn't change
anything about actual security of your system.

Script kiddies will actually scan a network, find web servers, and
test a bunch of urls, in which the default phpmyadmin path most
probably appears.

And if your phpmyadmin is exploited, it won't be because of zeroconf,
it will be because of your weak password, of a security issue in
phpmyadmin, or something else.

Mike


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110303133534.GB12816@glandium.org">http://lists.debian.org/20110303133534.GB12816@glandium.org
 
Old 03-03-2011, 12:48 PM
Bastien ROUCARIES
 
Default Disable ZeroConf: how to ?

On Thu, Mar 3, 2011 at 2:35 PM, Mike Hommey <mh@glandium.org> wrote:
> On Thu, Mar 03, 2011 at 01:43:19PM +0100, Bastien ROUCARIES wrote:
>> On Thu, Mar 3, 2011 at 1:31 PM, Olaf van der Spek <olafvdspek@gmail.com> wrote:
>> > On Thu, Mar 3, 2011 at 1:16 PM, Lars Wirzenius <liw@liw.fi> wrote:
>> >> On to, 2011-03-03 at 12:47 +0100, Bastien ROUCARIES wrote:
>> >>> some package announce their existance to the world without any admin decision!
>> >>> It is not a fud *and a security hole!
>> >>
>> >> That's a vague generality... which packages? You mentioned phpmyadmin.
>> >> What are the actual problems that results from this announcement? What
>> >> bad things happen from it? Can the fact that you have phpmyadmin become
>> >> known to an attacker via port scanning, or similar techniques? If so,
>> >> does it matter if phpmyadmin also announces things via avahi? What do
>> >> you suggest as a solution? Would a blanket policy of having all services
>> >> to default to not announce themselves? What would the problems from such
>> >> a policy be?
>> >>
>> >> (I don't know much about this stuff, and I don't particularly care, but
>> >> it'd be nice if we could turn the discussion into a constructive one.)
>> >
>> > Windows has the concept of home / private and public networks. On
>> > public networks, sharing gets disabled.
>> > Such a concept would be good for this situation as well. Let the user
>> > indicate what type of network he is on and what type of services
>> > should be opened to that network.
>>
>> The last bug is not about this, it is I have a phpmyadmin running as
>> www user and I announce I run it.
>>
>> Not really good to give the path to phpmyadmin (that is running by
>> admin decission)
>
> Zeroconf announce doesn't make it less secure, it makes it slightly more
> discoverable, but not significantly so.

I disagree, on the second part, I allow faster discovery of attack
target, and made script kiddies less detectable...

> Conversely, believing that not announcing through zeroconf is more
> secure is probably good for your self confidence but doesn't change
> anything about actual security of your system.

It will ease the work of script kiddy.

> Script kiddies will actually scan a network, find web servers, and
> test a bunch of urls, in which the default phpmyadmin path most
> probably appears.
>
> And if your phpmyadmin is exploited, it won't be because of zeroconf,
> it will be because of your weak password, of a security issue in
> phpmyadmin, or something else.

For sure but I really dislike to help script kiddies, we do not return
full version of some software for this reason and do not announce
software available and location of administrative stuff slow down
exploit

Bastien


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: AANLkTimAnzrPnEgioQECcJTDo4qsXsWPyWk-S1897aFR@mail.gmail.com">http://lists.debian.org/AANLkTimAnzrPnEgioQECcJTDo4qsXsWPyWk-S1897aFR@mail.gmail.com
 

Thread Tools




All times are GMT. The time now is 08:06 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org