Re: make gnome listen on localhost:*

From: Paul Warren <pdw ferret lmh ox ac uk>
To: Elliot Lee <sopwith redhat com>
Cc: gnome-list gnome org
Subject: Re: make gnome listen on localhost:*
Date: Wed, 14 Jun 2000 21:19:35 +0100 (BST)

On Wed, 14 Jun 2000, Elliot Lee wrote:
> On Wed, 14 Jun 2000, Paul Warren wrote:

> > As Gnome becomes more popular on desktops with permanent network
> > connections, you can be sure that this will become a popular breakin
> > route.
> 
> So unplug it from the network - there are plenty of other more interesting
> network services to choose from if you want to break in. 

They shouldn't be running on a purely desktop machine.  As Gnome becomes
more widely used, its audience is becoming less technically minded.  
People will want to use Linux (or other OS) + Gnome as a desktop machine -
they don't want the security hassles associated with running lots of
services and they should be disabled by default.

> Or install a firewall, or set up TCP Wrappers properly.

The less technically minded will not know how to do this, or understand
why they need to.

> > I suspect that very few people will be using these network capabilities
> 
> I thought you just said Gnome was going to be popular on computers with
> permanent network connections? Do people just plug their computers in for
> the blinking lights?

Of course not, but the desktop role is primarily a *client* role.  I use
my desktop to connect to servers - web, FTP, ssh, cvs etc.  I do not want
to be serving up anything which I have not deliberately and explicitly
turned on.

> A fair amount of people use ORBit outside of Gnome, and when you add those
> networked uses to the people who do use it with Gnome, you still want to
> tell me that we should disable it, so that you can feel good about not
> properly securing your system...

An enormous number of machines run the security nightmare that is bind.
That doesn't mean it should be turned on by default on every Linux
installation.  It (and any other services) should be turned on only by
people who understand what they are doing, and undertake to keep it up to
date and secure.  Linux has gained some very bad publicity in my
university because machines have been exploited by services the owners
didn't even know they were running - witness the great imapd problem of a
couple of years ago.  This has lead to some colleges banning Linux
machines from being connected to the network.

I am not talking about securing my computer - I have invested some time in
setting up some tight firewall rules.  I am talking about the increased
acceptance of Gnome by non-technically minded people which I see all the
time around college.

Imagine Gnome in use by a significant proportion of home user, office and
student desktops, on full time network connections.  Someone finds a hole
in ORBit.  Updates appear in all the right places:

Scenerio 1:  ORBit is listening by default.  A few clued up people install
the upgrades, but probably didn't need to anyway because they had a tight
firewall.  The vast majority don't even realised that they have ORBit
installed, let alone know what it does, and don't listen in the right
places for security updates.  They don't upgrade, and soon become part of
massive DDoS attacks.  Linux/Gnome gains the same kind of bad PR that
Microsoft has been enjoying lately for a lax security attitude.

Scenario 2:  ORBit is not listening by default.  Clued up people who know
that they want the ORBit network functionality have enabled it.  They hear
about the problem and upgrade.  The un-clued live on in blissful
ignorance.

> Nobody here has demonstrated a clue about why those sockets are listening,

So are you going to tell us?  I have some idea, but I would be keen to
learn under what circumstances an ordinary desktop user would want this.

> what the security implications are, 

The implication is that we have yet more sockets listening to the outside
world, therefore we have more code that could potentially have holes in
it.  A major rule in security is to minimise the amount of code that needs
to be secure.

> and what steps have been taken to make sure there are no security
> problems

Last time this thread came up
http://www.geocrawler.com/mail/thread.php3?subject=Gnome+security&list=263
there was an indication that some effort was underway to audit ORBit.  
This is a good thing, but even if the code has been audited thoroughly
that does not mean that it should be listening by default.  The OpenSSH
code went through the rigorous OpenBSD security procedures, but a fairly
significant hole has just been found in that (albeit not in its default
configuration).

Paul

Follow-Ups:
- Re: make gnome listen on localhost:*
  - From: Elliot Lee
- Re: make gnome listen on localhost:*
  - From: Derek Simkowiak
- Re: make gnome listen on localhost:*
  - From: Chris Evans

References:
- Re: make gnome listen on localhost:*
  - From: Elliot Lee

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]