reassign 572712 netbase
On Mon, May 31, 2010 at 06:29:15PM +0200, Christoph Anton Mitterer wrote:
> Hi Moritz, et al.
> On Sun, 2010-05-30 at 19:29 +0200, Moritz Muehlenhoff wrote:
> > If you want to modify kernel defaults you'll need to discuss the
> > specific options with upstream, we won't differ in the Debian kernel
> > configuration.
> I don't want to change the kernel defaults...
> For the Debian kernels it would be a very bad idea, as I think that
> software in a distro should nearly always follow the upstream default
> (config) values.
> There are already several packages in Debian where default config values
> where changed. I do not talk about the default config files, but really
> the hardcoded values in the binaries.
> This is really a bad idea, as everybody should be able to expect a more
> or less consistent behaviour of programs on all distros.
> For upstream such changes will probably not going to happen, even if I
> request it.
> But that neither means that the defaults I propose are wrong, nor that
> Debian shouldn't change them in their sysctl defaults.
> We already change many packages (better said their standard
> configuration files) just to make them more secure (and in some examples
> unfortunately also to make them less secure).
> > For now I'd suggest to address Christoph's proposed changes through
> > the harden package. It appears to be designed for exactly this
> > purpose. Christoph, what do you think?
> I think the harden package is the wrong place, at least for the net.*
> sysctl I've proposed.
> I guess there are two main reasons:
> 1) Everybody expects harden packages to be something which is either
> quite complicated to set up or which will probably break many things.
> - Take special patches like PaX/grsecurity or rsbac... they'd probably
> be accounted to "hardening"... both may break things (and RSBAC is quite
> difficult to set up).
> - Another example is something like AIDE... of course the plain install
> is done quickly, but to have it really make sense one most run it from a
> offline/secured host... because if the system is compromised the
> attacker will be also able to hack AIDE or its hash sums.
> These changes here are not complicated to set up, and for the vast
> majority of people, the won't break anything.
> 2) Harden-packages are usually not installed by most people, for the
> above reasons. So most people wouldn't benefit those more secure
> Now why do I think that "every" system should get those more secure
> sysctl settings per default.
> I guess most of them won't harm anyway and just give benefit.
> => just logging
> => well I guess only really hacked setups/systems/networks should ever
> make it necessary to allow such packets per default.
> And people with such setups/systems/networks have them either set up
> wrongly (but just never noticed) and should fix it... or they _really_
> are experts and _really_ need it that way... then they probably know
> about rp_filter, and are able to turn it of.
> => In their current implementation (see the lwn.net article) it seems to
> me that they mean no _real_ problem. All problems that syncookies
> bring,... don't count here, as they're not activated by the kernel until
> your network ist "fucked up" anyway
> net.ipv4.ip_forward, net.ipv6.conf.all.forwarding, send_redirects,
> => Well one could discuss those... but I really think, that the vast
> majority of Debian systems are not used as rooters. And those systems
> that are,.. don't work as a router out of the box. So sysadmins need to
> know "how to set up routing" anyway,... and then they sould also know
> about these sysctl values.
> net.ipv4.conf.all.accept_redirects, net.ipv6.conf.all.accept_redirects
> => Also,.. I guess just really some weird setups need things like ICMP
> Of course there might be more settings we could/should tighten up
Sorry for the late reply.
If you want to change the standard Debian sysctl settings, this should
probably be changed by netbase providing a /etc/sysctl.d snippet.
The kernel package is not the right place. Reassigning to netbase.
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org