Re: Why all the open ports?

[Derek Simkowiak <dereks kd-dev com>]

-> > 	  See
-> > http://mail.gnome.org/pipermail/gnome-list/2000-June/thread.html, and look
-> > for messages titled, "make gnome listen on localhost:*".  Not all of the
-> > relevant messages are in the same thread.
-> 
-> Can you sumarize this to me?

	At my own peril, you mean...? :)

	Okay, this has been an outstanding issue for some time, so let's
put all the cards on the table and please resolve it.  (If necessary,
let's move this discussion to gnome-list or gnome-devel-list.)

	Gnome uses a CORBA Orb called "ORBit" to allow inter-process
communication between applications.  CORBA performs the role that DCOM
does in the MS-Windows world.

	CORBA (and hence, ORBit) uses TCP/IP as the underlying protocol.
That means that any Gnome desktop will have many open ports from ORBit
listening on those ports.


	This is bad for the following reasons:

(1) Every open port is *always* a potential security risk (security audits
notwithstanding).

(2) The application is such that the user is never really made aware that,
"hey, you're opening up the following ports on your computer...".  This is
different from a webserver (always on port 80), or FTP (always on ports
20/21), and other more traditional inetd/server-based services.

	The last relevant piece of information is that ORBit can be
configured to use Unix pipes instead of TCP/IP ports.  Using pipes greatly
reduces the risk because you must have an account on the localhost before
being able to talk to the pipe.


	Everybody agrees about these being risks (although the
security-conscious among us have been more verbal about just how serious
this is).  The big debate is how to fix this problem.

	The immediate and most obvious solution is to have the default
Gnome configuration ship with ORBit using Unix pipes instead of TCP/IP
sockets.  In fact, Debian is already doing this.

	The objections to this are:

1) The CORBA spec specifically says TCP/IP, not Unix pipes, so if ORBit
defaults to Unix pipes it is no longer CORBA compliant.  (I do not agree
with this statement, I am only repeating it)

2) The whole point of using ORBit is that desktops can talk acrossed the
network (ala DCOM), not just on the same system (ala COM).  Not using
TCP/IP sockets eliminates this functionality.  The counter-argument to
this is that Gnome uses ORBit for desktop apps, not distributed
computing, so for 99.9% of the users pipes would be just fine.  (And
again, it IS a configurable option that can be altered at runtime!)

3) Elliot in particular has said that this is not the proper solution to
the problem, that it is a hack, and thus should not be done.  (More on
Elliot's proposed solution to follow...)


	The next proposed solution was to have it default to TCP/IP (as it
currently does on Redhat and derivatives), but to have a 

Foot -> Settings -> Gnome Control Center -> Security

	GUI setting that included a checkbox that said

[*]   Export CORBA objects to the network

	...which would toggle between the use of Unix pipes and TCP/IP
sockets.  (The exact location/text of the checkbox is arbitrary, the
point is that it is a GUI thing that is easy for new users to turn off
the export services)


	The objections to this solution are:

1) People won't know to go in there to turn it off
2) Elliot again: Using Unix pipes is not the solution to the security
problem.


	There was a little bit of debate as to whether or not this GUI
option should default to on or off, but the most stingent opponent to the
entire idea was Elliot, who firmly believes that Unix pipes are NOT the
solution to this security concern.

	Elliot believes that the proper solution to this problem is to
have a well-configured firewall.  My interpretation is that by "firewall"
he does not mean a single box protecting a network, but simply "firewall"
as in kernel-level packet filtering to prevent unauthorized connections to
ORBit from the outside.

	Speaking for Elliot, I think what he wants to see is under

Foot -> Settings -> Gnome Control Center -> Security

[*]   Export CORBA objects to the network

	...but have the checkbox set ipchains rules, NOT the use of Unix
pipes over TCP/IP sockets.  I think that on that same page he'd like to
see the following, all changing kernel-level packet filtering rules:

[*]   Allow telnet connections from the Internet
[ ]   Allow FTP connections
[*]   Allow applications to run other desktops (X display exporting)
[...etc., all examples for illustration only!]


	The objections to this were

1) Red Hat, Mandrake, and many other distros simply don't ship with sane
ipchains rules by default (this, btw, drives me absolutely nuts)

2) Many newbies coming from the Mac/Win9x world don't even know what a
firewall is, let alone how to configure one

3) Kernel-level packet filtering is O.S.-specific (i.e., no ipchains under
Solaris), and furthermore, whether or not Gnome is running (or even
installed) kernel-level packet filtering is the duty of O.S., not the
desktop GUI.

	That's where the discussion ended.  Every month or so some
sysadmin posts to the lists, "Why are all these connections open", and
either gets no response or is simply told to firewall them.

	The last issue is that Gnome is not (or will not) be the only
thing using ORBit, so there should be an option of having Gnome using
pipes and other apps using TCP/IP sockets.  Given the architecture, this
does not really make sense to me.

	That's my take on the discussion, I apologize if I have
misrepresented anyone (esp. Elliot :) or have left anything out.  

	My own two cents: It's painfully easy to default to pipes instead
of sockets, so let's do it.  No extra coding required, just ship it that
way.  If somebody needs to use ORBit for distributed computing, they'll
know how to turn it on.

	In the meantime, let's work on an abstraction layer between the
different Unix's kernel-level packet filtering, so that in the long term
we can implement the solution The Right Way: Elliot's solution.

	Other avenues are talking to distro companies (Redhat and Mandrake
in particular!) and convincing them to ship with sane default firewall
rules and configuration utilities, or else have *them* default ORBit to
pipes.  The worst thing we could do is nothing.


Thanks,
Derek Simkowiak
dereks@kd-dev.com