Re: make gnome listen on localhost:*

[Paul Warren <pdw ferret lmh ox ac uk>]

On Wed, 14 Jun 2000, Elliot Lee wrote:

> On Wed, 14 Jun 2000, Chris Evans wrote:
> 
> > On a general note, security needs to be approached with a
> > functionality to security risk tradeoff. In this instance, disabling
> > GNOME's libORBit listening inet sockets is blatantly the thing to do.
> > You kill a moderate risk and 99%+ of people won't notice any change in
> > behaviour.
> 
> What percent is enough? Or do you just hate ORBit? ;-)

It's not a question on hating ORBit - it's simply a question of minimising
the risks.

> For example, we could disable X server network access as well, requiring a
> config file change to use it, and probably 99% of desktop users wouldn't
> notice. But since you and I both likely happen to be in the set of people
> who do use this feature, we would both protest against doing this.

I do use this feature, and I would argue strongly that it *should* be
disabled by default.  People can't use this feature without obtaining clue
before proceeding - you need to set an environment variable (OK, ssh can
do this for you).  Such people won't have a problem with flicking a switch
to turn it on.

> The reason I hate the suggested type of solution is because it is a hack
> that only works for a very special set of apps, 

You mean apps run locally?  That's not a particularly special set for you
average one-box desktop user.

> and will ultimately cause conflicts with valid uses.
> 
> A proper firewall setup will catch everything, 

Where do you propose putting this firewall?  On the box running Gnome
(this is where Joe Average with his one box will have to put it)?  If so,
then what's the point of having the port open in the first place?

If you have a trusted, firewalled LAN that you want to use the network
functionality on, then your clued up network admin will have no trouble in
enabling the network functionality.

> Users may not know a
> lot about the details of firewalling, but anyone who thinks they will have
> problems answering questions such as "Do you plan on running any network
> servers?" in their Linux install.
> 
> This problem goes beyond ORBit - it is going to come up more and more as
> the network becomes central to computing. I'm not anxious to put in stupid
> temporary hacks so people can feel good about avoiding a proper solution.

Quite - so we won't be putting in firewalls just because Gnome is not
secure by default, right?  

Firewalls are not a "proper solution".  Firewalls should be an additional
layer of security, not the only layer.  BTW, if you are suggesting that we
should all be running firewalls that prohibit listening on high numbered
ports, then you're going to break passive mode FTP, and possibly other
stuff, and the average desktop user will fix this by... turning off the
firewall.

The only reason I run a firewall on my machine is because I can't be
bothered to go chasing down what ports are listening when I haven't asked
them to: Gnome/ORBit, X, xfs.

> Is anyone interesting in coming up with "the proper solution" that sets 
> a safe default config and makes it easy to make changes? I might be
> interested in helping with such a thing.

You mean an option for the control-center to turn on the network
functionality for ORBit, right?

Paul