Re: make gnome listen on localhost:*

[Chris Evans <chris ferret lmh ox ac uk>]

On Wed, 14 Jun 2000, Paul Warren wrote:

> > So unplug it from the network - there are plenty of other more interesting
> > network services to choose from if you want to break in. 
> 
> They shouldn't be running on a purely desktop machine.  As Gnome becomes
> more widely used, its audience is becoming less technically minded.  
> People will want to use Linux (or other OS) + Gnome as a desktop machine -
> they don't want the security hassles associated with running lots of
> services and they should be disabled by default.

How mildly bizarre

I recently started exactly the same debate with Elliot in private. I've
only just noticed this public one going on. Sorry if I'm jumping in late.

I guess it's better had in public though, we can get more input. Note that
GNOME-1.2 is a definite security step forward. gnome-session, which used
to use libICE to TCP listen, has been desisted from doing so. Just
libORBit left now.


I concur fully that GNOME has no business listening on any inet sockets in
its default configuration. Even M$ are not that foolish. What isn't so
clear to me is whether its a GNOME or libORBit issue. If libORBit offers
APIs for clients to choose UNIX listen, inet listen, or both, then GNOME
needs fixing to use a saner default.

As Elliot has pointed out we can't change the libORBit default, because
libORBit might be used by someone outside of a GNOME context.


On a general note, security needs to be approached with a functionality to
security risk tradeoff. In this instance, disabling GNOME's libORBit
listening inet sockets is blatantly the thing to do. You kill a moderate
risk and 99%+ of people won't notice any change in behaviour.

Cheers
Chris