On Vi, 04 mar 11, 19:29:36, Bastien ROUCARIES wrote:
> >
> > Since avahi isn't a dependency of anything you'd want to install on a
> > server -- I personally have never installed gnome on a server, for
> > instance -- it usually isn't.
> >
> > [...]
>
> Except in a workstation place.
>
> In a uni we use your workstation during the days for teaching and the
> night for grid computing. And we care both about security and about
> using gnome.

If you have trouble un-installing avahi-daemon from those systems feel
free to contact debian-user for support

Regards,
Andrei
--
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic

On Fri, Mar 04, 2011 at 08:56:46PM +0200, Andrei Popescu wrote:
> On Vi, 04 mar 11, 19:29:36, Bastien ROUCARIES wrote:
> > Except in a workstation place.
> >
> > In a uni we use your workstation during the days for teaching and the
> > night for grid computing. And we care both about security and about
> > using gnome.
>
> If you have trouble un-installing avahi-daemon from those systems feel
> free to contact debian-user for support

You'll then have to install every bit of gnome by hand, since the
meta-packages depend on avahi.

--
1KB // Microsoft corollary to Hanlon's razor:
// Never attribute to stupidity what can be
// adequately explained by malice.


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110304191001.GA30356@angband.pl">http://lists.debian.org/20110304191001.GA30356@angband.pl

On Vi, 04 mar 11, 20:10:01, Adam Borowski wrote:
>
> You'll then have to install every bit of gnome by hand, since the
> meta-packages depend on avahi.

Maybe they can just recommend avahi-daemon and gnome-user-share

Regards,
Andrei
--
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic

On Fri, Mar 04, 2011 at 04:09:44PM +0100, Olaf van der Spek wrote:
> On Fri, Mar 4, 2011 at 3:59 PM, Klaus Ethgen <Klaus@ethgen.de> wrote:
> > In ancient times debian was packaged the way that the administrator only
> > installed the daemons that he needed. Today many daemons gets installed
> > by dependencies and gets started without any need.

> > If you want to change debian to be ubuntu it would be the time to look
> > for another distribution that can be used on servers. (unfortunately I
> > do not know an alternative.)
>
> Actually "Ubuntu ships with no open ports on public interfaces" (by default).

[~]# netstat -ap|grep avahi
udp 0 0 *:mdns *:* 1622/avahi-daemon:
udp 0 0 *:45282 *:* 1622/avahi-daemon:
udp6 0 0 [::]:mdns [::]:* 1622/avahi-daemon:
udp6 0 0 [::]:58036 [::]:* 1622/avahi-daemon:

I admit I didn't notice this before, as I would never expect a _client_
system to have some crap listening by default. And it is world-reachable
-- am I supposed to ensure the top s1kr3t address
2001:6a0:118:0:22cf:30ff:fec3:d4b7 never leaks out? (oops...)


And why does it open this security hole? To make it slightly easier to
configure link-local instant messages. Who exactly is going to need that
these days? The times of local networks disconnected from the world are
mostly over. You have some non-networked machines here and there, but if
there's a network of some kind, it almost always is globally connected.
These few places that do have airwalled networks definitely don't want to
run link-local chat...

So, any gain is infinitessimally small, and the risk is real. Even daemons
coded by most security-minded people that have seen a lot of review do have
exploitable holes once in a while, so I expect Avahi to fare no better.

Like, for example, #614785.

--
1KB // Microsoft corollary to Hanlon's razor:
// Never attribute to stupidity what can be
// adequately explained by malice.


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110304194807.GB30356@angband.pl">http://lists.debian.org/20110304194807.GB30356@angband.pl

Le vendredi 4 mars 2011 13:23:32, Ben Hutchings a écrit :
> On Fri, 2011-03-04 at 08:15 +0100, Tollef Fog Heen wrote:
> > ]] Ben Hutchings
> >
> > Hi,
> >
> > | On Thu, Mar 03, 2011 at 05:20:37PM +0100, Tollef Fog Heen wrote:
> > | > To the extent this is a bug, it's a bug in the resolver that it does
> > | > not treat names with dots in them as absolute, but relative. I know
> > | > this is how it's been done in the past, but perhaps changing that to
> > | > treating names with as absolute would be a better solution.
> > |
> > | echo >>resolv.conf options ndots:15
> >
> > Thanks for the suggestion, but this does not seem to do what I want, I
> > think?
> >
> > ndots:n
> >
> > sets a threshold for the number of dots which must appear in a name
> > given to res_query(3) (see resolver(3)) before an initial absolute
> > query will be made. The default for n is 1, meaning that if there
> > are any dots in a name, the name will be tried first as an absolute
> > name before any search list elements are appended to it. The value
> > for this option is silently capped to 15.
> >
> > I'd like it to not append the search list if there are dots at all.
>
> You could stop being lazy and type the dot on the end too. ;-)
>
> > so doing «getent hosts foo.bar» will only generate a query for
> > «foo.bar.», not for «foo.bar.$searchpath.»
>
> I misparsed your question because I assumed you were addressing the
>
> issue that Bastien pointed out in the message you replied to:
> > main security problem is resolver,
> > $host -v www.local
> > www.local
> > www.local.mydomain.com
>
> And I believe that the 'ndots' option does address that issue - to an
> extent. You still need DNSSEC or application-layer security to verify
> the answer, regardless of the presence of mDNS.

Not completly, it is a global default. I will prefer that mdns will be always solve as absolute name but want to use default for
dns

BTW ndots seems broken at least in my installation and https://bugs.launchpad.net/ubuntu/+source/linux/+bug/401202

Bastien

Bastien


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 201103042056.31423.roucaries.bastien@gmail.com">ht tp://lists.debian.org/201103042056.31423.roucaries.bastien@gmail.com

On Friday, March 04, 2011 02:48:07 pm Adam Borowski wrote:
> On Fri, Mar 04, 2011 at 04:09:44PM +0100, Olaf van der Spek wrote:
> > On Fri, Mar 4, 2011 at 3:59 PM, Klaus Ethgen <Klaus@ethgen.de> wrote:
> > > In ancient times debian was packaged the way that the administrator
> > > only installed the daemons that he needed. Today many daemons gets
> > > installed by dependencies and gets started without any need.
> > >
> > > If you want to change debian to be ubuntu it would be the time to look
> > > for another distribution that can be used on servers. (unfortunately I
> > > do not know an alternative.)
> >
> > Actually "Ubuntu ships with no open ports on public interfaces" (by
> > default).
>
> [~]# netstat -ap|grep avahi
> udp 0 0 *:mdns *:* 1622/avahi-daemon:
> udp 0 0 *:45282 *:* 1622/avahi-daemon:
> udp6 0 0 [::]:mdns [::]:* 1622/avahi-daemon:
> udp6 0 0 [::]:58036 [::]:* 1622/avahi-daemon:
>
> I admit I didn't notice this before, as I would never expect a _client_
> system to have some crap listening by default. And it is world-reachable
> -- am I supposed to ensure the top s1kr3t address
> 2001:6a0:118:0:22cf:30ff:fec3:d4b7 never leaks out? (oops...)
>
>
> And why does it open this security hole? To make it slightly easier to
> configure link-local instant messages. Who exactly is going to need that
> these days? The times of local networks disconnected from the world are
> mostly over. You have some non-networked machines here and there, but if
> there's a network of some kind, it almost always is globally connected.
> These few places that do have airwalled networks definitely don't want to
> run link-local chat...
>
> So, any gain is infinitessimally small, and the risk is real. Even daemons
> coded by most security-minded people that have seen a lot of review do have
> exploitable holes once in a while, so I expect Avahi to fare no better.
>
> Like, for example, #614785.

This is actually a documented [1] exception to the general policy of no open
ports (not one I agree with BTW). The rationale is provided at [2].

[1] https://wiki.ubuntu.com/Security/Features#ports
[2] https://wiki.ubuntu.com/ZeroConfPolicySpec

What I did was change /etc/avahi/avahi-daemon.conf so it says:

use-ipv4=no
use-ipv6=no

I'm pretty sure that makes it safe (and was easier than dealing with the
dependency issues associated with trying to remove it). netstat -ap|grep
avahi returns nothing on such a system.

Scott K



--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 201103041535.28090.debian@kitterman.com">http://lists.debian.org/201103041535.28090.debian@kitterman.com

On Fri, Mar 04, 2011 at 08:48:07PM +0100, Adam Borowski wrote:
> And why does it open this security hole? To make it slightly easier to
> configure link-local instant messages. Who exactly is going to need that
> these days? The times of local networks disconnected from the world are
> mostly over. You have some non-networked machines here and there, but if
> there's a network of some kind, it almost always is globally connected.
> These few places that do have airwalled networks definitely don't want to
> run link-local chat...

"If there's a network of some kind". What about ad-hoc connections between
two or more laptops / tablets / mobile devices? The hardware supports this
mode of operation just fine; shouldn't our software as well? I shouldn't
need to carry an AP with me, or send all my traffic to a telco, or use a
sneakernet, to share files with you when we're in the same room.

All of these devices need to be proofed against hostile networks /in
general/; advertising services on such a network is a pretty small risk in
comparison to the risk of connecting to an untrusted network in the first
place.

--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek@ubuntu.com vorlon@debian.org

All in all, I donot agree with bubble talk we are getting here. I
donot think people
who are just talking with sheer imagination with computer illiteracy
to come here.
This is high volume site. People over here do some real work. It cannot be used
to malice a set of people.

> [~]# netstat -ap|grep avahi
> udp * * * *0 * * *0 *:mdns * * * * * **:* * * * *1622/avahi-daemon:
> udp * * * *0 * * *0 *:45282 * * * * * *:* * * * *1622/avahi-daemon:
> udp6 * * * 0 * * *0 [::]:mdns * * * * [::]:* * * 1622/avahi-daemon:
> udp6 * * * 0 * * *0 [::]:58036 * * * *[::]:* * * 1622/avahi-daemon:

Down Comment.

> I admit I didn't notice this before, as I would never expect a _client_
> system to have some crap listening by default. *And it is world-reachable
> -- am I supposed to ensure the top s1kr3t address
> 2001:6a0:118:0:22cf:30ff:fec3:d4b7 never leaks out? *(oops...)

Where is the client in this? I donot get what you mean by a client.
Could you tell
me in Avahi what is a client.

> And why does it open this security hole? *To make it slightly easier to

What security hole?

> configure link-local instant messages. *Who exactly is going to need that
> these days? *The times of local networks disconnected from the world are

Donot get what you mean.

> mostly over. *You have some non-networked machines here and there, but if
> there's a network of some kind, it almost always is globally connected.
> These few places that do have airwalled networks definitely don't want to
> run link-local chat...

what do you mean by airwalled network? could you give some specific example.

> So, any gain is infinitessimally small, and the risk is real. *Even daemons
> coded by most security-minded people that have seen a lot of review do have
> exploitable holes once in a while, so I expect Avahi to fare no better.

Could you get specific with the security holes to be looked for ?


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: AANLkTi=UWr9XyxC5azHTezsLMgH+3-e7KkdAnKSZPWWO@mail.gmail.com">http://lists.debian.org/AANLkTi=UWr9XyxC5azHTezsLMgH+3-e7KkdAnKSZPWWO@mail.gmail.com

Hi,

On Fri, Mar 04, 2011 at 08:10:01PM +0100, Adam Borowski wrote:
> On Fri, Mar 04, 2011 at 08:56:46PM +0200, Andrei Popescu wrote:
> > On Vi, 04 mar 11, 19:29:36, Bastien ROUCARIES wrote:
> > > Except in a workstation place.
...
> > If you have trouble un-installing avahi-daemon from those systems feel
> > free to contact debian-user for support
>
> You'll then have to install every bit of gnome by hand, since the
> meta-packages depend on avahi.

By *hand* is not really a trouble if you have handy *hand* like aptitude
(few key strokes). If you think to do this only via apt-get, it is a
trouble you may not wish to deal with. This is really a user
configuration issue of an user with special itch to the detail. Use the
right tool.

Osamu


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110305155121.GA7686@debian.org">http://lists.debian.org/20110305155121.GA7686@debian.org

Bastien ROUCARIES <roucaries.bastien@gmail.com> wrote:
> Does avahi could be disable (using kernel level firewalling is not from my
> point of view a solution) ?

# update-rc.d avahi-daemon disable

Does the job for me..

Anyway, I'll need a puppet (or similar) rule to maintain this for my users, on
upgrades, etc.

--
Saludos,
Maxy


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: a8ka48-as3.ln1@freak.gnuservers.com.ar">http://lists.debian.org/a8ka48-as3.ln1@freak.gnuservers.com.ar