Re: hacking

[Paul Warren <pdw ferret lmh ox ac uk>]

On 23 Apr 2000, Miguel de Icaza wrote:

> 
> > Running port scanner software on my machine, I've noticed
> > ports opening / closing without prior knowlege to what they are and why
> > there opening / closing by themselves. IAD1,2&3 or some of them.
> > Could someone please shed some light.
> 
> They are either:
> 
> 	Session Manager sockets.
> 	ORBit sockets.

It is easy to disable ORBit listening on network sockets, and I suspect
that this is true for the session manager too, although I forget
how.  Last time this came up on the list, I think it was generally agreed
that having these services listening by default was a Very Bad Thing from
a security point of view.

Without wishing to reproduce the discussion again, the point was that only
a small minority of people will be making use of the network transparency
offered by ORBit.  Those that wish to make use of it will be more likely
to have sufficient security clue to understand the implications of
enabling these services.  As Gnome becomes more and more accesible to less
computer/security savvy people such services become a liability, risking
the reputation of Gnome, and the O/Ss it runs on.  

The reputation of Linux took a big hit (round here at any rate) a few
years back from RedHat's insistance on having imapd turned on in a default
installation, leading to Linux boxes being compromised via an imap daemon
that their admins didn't even know they were running.  As a result of this
and similar incidents, many colleges here impose heavy restrictions on the
connection of Linux boxes to the University network.

So, is there any good reason not to disallow remote ORBit connections by
default in the next release of Gnome?  Previous discussion of same issue:

http://www.geocrawler.com/mail/thread.php3?subject=GNOME+security&list=263

Apologies if this has already been done.

Paul