> A client system is not supposed to run any public network services,
> especially not in the default config. I have never in my life felt the need
> to do anything provided by either gnome-user-share or telepathy-salut (or
> anything that has to do with telepathy for that matter), and I doubt most
> users have either. None of them do anything good unless configured, too.
Note that until you configure gnome-user-share, only avahi is started;
gnome-user-share itself is not.
> When an user actually uses that "easy file sharing" or link-local instant
> messaging, avahi could be started, but there's no reason to do that before.
That might be possible using D-Bus activation. Feel free to get in touch
with the avahi developers if you want to implement it.
--
.'`.
: :' : “You would need to ask a lawyer if you don't know
`. `' that a handshake of course makes a valid contract.”
`- -- J???rg Schilling
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 1299161834.26821.92.camel@meh">http://lists.debian.org/1299161834.26821.92.camel@meh
> some package announce their existance to the world without any admin
> decision
It should be a site policy.
> It is not a fud and a security hole!
I disagree.
--
Stig Sandbeck Mathisen <ssm@debian.org>
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 7xmxlcs288.fsf@fsck.linpro.no">http://lists.debian.org/7xmxlcs288.fsf@fsck.linpro.no
03-03-2011, 01:38 PM
Simon McVittie
Disable ZeroConf: how to ?
On Thu, 03 Mar 2011 at 15:17:14 +0100, Josselin Mouette wrote:
> > I have never in my life felt the need
> > to do anything provided by either gnome-user-share or telepathy-salut
>
> Note that until you configure gnome-user-share, only avahi is started;
> gnome-user-share itself is not.
The same for telepathy-salut, FWIW. (If Empathy starts up without any IM
accounts, it'll offer to make you a link-local IM account using Salut, but you
can always say no.)
> > When an user actually uses that "easy file sharing" or link-local instant
> > messaging, avahi could be started, but there's no reason to do that before.
>
> That might be possible using D-Bus activation. Feel free to get in touch
> with the avahi developers if you want to implement it.
Avahi also needs to be running to consume services advertised with zeroconf,
so if you use anything that browses for advertised services, it'd be activated
then too (for instance "Network -> Local Network" in Nautilus).
For instance, if you browse for others' shared files
("Network -> Local Network" in Nautilus) or printers, you're not making any
services available yourself, but you still need avahi-daemon running.
avahi-daemon also makes foo.local resolvable by others on your local network
segment, where foo is your hostname; I for one sometimes install avahi-daemon
just to have that side-effect, without any actual services advertised, because
the actual service I'm interested in is ssh on a well-known port.
S
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110303143831.GA28471@reptile.pseudorandom.co.uk" >http://lists.debian.org/20110303143831.GA28471@reptile.pseudorandom.co.uk
03-03-2011, 01:39 PM
Klaus Ethgen
Disable ZeroConf: how to ?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Am Do den 3. Mär 2011 um 12:22 schrieb Lars Wirzenius:
> > So you contradict yourself within two paragraphs. It makes it less
> > useful to enable it only on manual intervention (say, it should be
> > enabled automatic) but on the other hand you say that nobody is forcing
> > me (or others) to use it. How do that plays together?
>
> I don't see a contradiction between "nobody is forced to use zeroconf"
> and "zeroconf is less useful if it has to be enabled manually".
That is your point of view. I see that as contradiction in some sens.
> (Yes, it would be nice if there were an easy way to disable it.)
True; or even not even installed.
> However, could we please end the FUDfest?
I do agree with youe that we should not spread FUD. But I see just
little in this thread.
Is having a other meaning than others equivalent to FUD?
> This thread seems to be quite unconstructive,
Don't think so. I gave a concrete tip to the OP.
> with unspecific claims of security problems,
Oh, there was some absolute concrete claims in that discussion. (Not
only from my side.)
> unwarranted slurs on users based on their operating system,
I didn't see any insult in this particular thread.
> and accusations on Debian developer's attitudes.
Oh, sorry, I am once burnt. The disaster with changing openssh security
checks just for the convenience of a hand full users and where the
involved DDs are unconvincable even from the openssh people them self is
just tickling in my bones. And that was not the only claim I see and
was involved in the past.
> If there is an actual problem, explain what it is, and suggest a
> solution.
For zeroconf; make it optional as the OP suggested. For the openssh
disaster, listen to the openssh people they might have more knowledge
about security. ...
There is concrete solutions given. But if nobody want to listen to
them...
> Be specific.
For my person, I think I am.
> Avoid hyperbole and vague generalities. Do not insult.
I do not see how I did. However, if someone starts to insult, I might
react also rough. I'm sorry for that.
> Write few mails, but put effort into each one.
Not less than necessary.
> If others don't agree with you, possibly you are unclear and
> they are not stupid or evil: rephrase and expand and ask questions, and
> don't get frustrated.
Sorry, english is not my mother tongue. But I try my very best.
However, if the other party do even not listen to native english
speaker who have concrete arguments...
I might be wrong in some cases. But in the security part I do not see an
alternative to be a bit to paranoid. And if I am not the only one, that
shows me that I am not completely wrong.
Regards
Klaus
- --
Klaus Ethgen http://www.ethgen.ch/
pub 2048R/D1A4EDE5 2000-02-26 Klaus Ethgen <Klaus@Ethgen.de>
Fingerprint: D7 67 71 C4 99 A6 D4 FE EA 40 30 57 3C 88 26 2B
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110303143925.GC20678@ikki.ethgen.ch">http://lists.debian.org/20110303143925.GC20678@ikki.ethgen.ch
03-03-2011, 02:31 PM
Bastien ROUCARIES
Disable ZeroConf: how to ?
On Thu, Mar 3, 2011 at 3:33 PM, Stig Sandbeck Mathisen <ssm@debian.org> wrote:
> Bastien ROUCARIES <roucaries.bastien@gmail.com> writes:
>
>> some package announce their existance to the world without any admin
>> decision
>
> It should be a site policy.
And set to no by default or a least well documented
>> It is not a fud and a security hole!
>
> I disagree.
Giving information on my system without admin concent is an
information leak, and thus tag security...
Bastien
>
> --
> Stig Sandbeck Mathisen <ssm@debian.org>
>
>
> --
> To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: http://lists.debian.org/7xmxlcs288.fsf@fsck.linpro.no
>
>
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: AANLkTikXWCpRJgX3i33HsvMBJ+m9c5p8t6rYbQ-3wupe@mail.gmail.com">http://lists.debian.org/AANLkTikXWCpRJgX3i33HsvMBJ+m9c5p8t6rYbQ-3wupe@mail.gmail.com
03-03-2011, 03:08 PM
Philipp Kern
Disable ZeroConf: how to ?
On 2011-03-03, Bastien ROUCARIES <roucaries.bastien@gmail.com> wrote:
> Giving information on my system without admin concent is an
> information leak, and thus tag security...
Information leaks are leaks of *sensitive* information. If I want to know if
you run phpmyadmin at its default location I just poll that URL and your
webserver will tell me. If you don't run it there but in another path you'll
likely not know where to change it in the Avahi broadcast data.
And next time we get bugs about Iceweasel leaking its version number in the
User-Agent header, which I consider more sensitive (cf. Panopticlick). But
then my mileage varies, as yours does, too.
We don't like security by obscurity, as you might know.
Kind regards
Philipp Kern
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: slrnimvf8a.ra8.trash@kelgar.0x539.de">http://lists.debian.org/slrnimvf8a.ra8.trash@kelgar.0x539.de
03-03-2011, 03:20 PM
Tollef Fog Heen
Disable ZeroConf: how to ?
]] Bastien ROUCARIES
| main security problem is resolver,
| $host -v www.local
| www.local
| www.local.mydomain.com
So the security problem you see is that if you have a domain called
«local» the entries in it might be spoofed due to how the resolver
works?
To the extent this is a bug, it's a bug in the resolver that it does not
treat names with dots in them as absolute, but relative. I know this is
how it's been done in the past, but perhaps changing that to treating
names with as absolute would be a better solution.
Cheers,
--
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 871v2ojhuy.fsf@qurzaw.varnish-software.com">http://lists.debian.org/871v2ojhuy.fsf@qurzaw.varnish-software.com
03-03-2011, 09:51 PM
Ben Hutchings
Disable ZeroConf: how to ?
On Thu, Mar 03, 2011 at 05:20:37PM +0100, Tollef Fog Heen wrote:
> ]] Bastien ROUCARIES
>
> | main security problem is resolver,
> | $host -v www.local
> | www.local
> | www.local.mydomain.com
>
> So the security problem you see is that if you have a domain called
> «local» the entries in it might be spoofed due to how the resolver
> works?
>
> To the extent this is a bug, it's a bug in the resolver that it does not
> treat names with dots in them as absolute, but relative. I know this is
> how it's been done in the past, but perhaps changing that to treating
> names with as absolute would be a better solution.
echo >>resolv.conf options ndots:15
Ben.
--
Ben Hutchings
We get into the habit of living before acquiring the habit of thinking.
- Albert Camus
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110303225125.GH19810@decadent.org.uk">http://lists.debian.org/20110303225125.GH19810@decadent.org.uk
03-04-2011, 06:15 AM
Tollef Fog Heen
Disable ZeroConf: how to ?
]] Ben Hutchings
Hi,
| On Thu, Mar 03, 2011 at 05:20:37PM +0100, Tollef Fog Heen wrote:
|
| > To the extent this is a bug, it's a bug in the resolver that it does not
| > treat names with dots in them as absolute, but relative. I know this is
| > how it's been done in the past, but perhaps changing that to treating
| > names with as absolute would be a better solution.
|
| echo >>resolv.conf options ndots:15
Thanks for the suggestion, but this does not seem to do what I want, I think?
ndots:n
sets a threshold for the number of dots which must appear in a name
given to res_query(3) (see resolver(3)) before an initial absolute
query will be made. The default for n is 1, meaning that if there
are any dots in a name, the name will be tried first as an absolute
name before any search list elements are appended to it. The value
for this option is silently capped to 15.
I'd like it to not append the search list if there are dots at all.
so doing «getent hosts foo.bar» will only generate a query for
«foo.bar.», not for «foo.bar.$searchpath.»
Regards,
--
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 87hbbje4pj.fsf@qurzaw.varnish-software.com">http://lists.debian.org/87hbbje4pj.fsf@qurzaw.varnish-software.com
03-04-2011, 06:56 AM
Sujit Karatparambil
Disable ZeroConf: how to ?
> so doing «getent hosts foo.bar» will only generate a query for
> «foo.bar.», not for «foo.bar.$searchpath.»
Could you be more specific with what you are looking.
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: AANLkTiks+GNibGo0ha=dzk7n17cnUYSH6SyVkUeg75Me@mail .gmail.com">http://lists.debian.org/AANLkTiks+GNibGo0ha=dzk7n17cnUYSH6SyVkUeg75Me@mail .gmail.com
Disable ZeroConf: how to ?
