Feature Request "secure by default"
Alexander Boström
abo at kth.se
Sun Jun 10 15:12:42 UTC 2007
sön 2007-06-10 klockan 20:15 +0530 skrev Rahul Sundaram:
> I can't see how it is relevant. It isn't a daemon and it doesn't connect
> to the network. If you did disable it and it was turned that is indeed a
> bug that not one that really affects security.
Hmm... It's still extra code paths that might have exploitable bugs,
though some or all of those bugs might only be exploitable on the local
network unless the computer has a routable v6 address.
I'm all for v6 though! The improved support in F7 is great!
> The services you quote don't connect to network by default. For example,
> sendmail is by default configured to connect only to the localhost. It
> is enabled only to deliver log files to the root user and you have to
> explicitly configure it to connect to the network.
True about sendmail, though, from lsof on a rather minimal F7 install:
rpcbind 1487 rpc 6u IPv6 4892 UDP *:sunrpc
rpcbind 1487 rpc 8u IPv6 4897 TCP *:sunrpc (LISTEN)
rpc.statd 1512 root 7u IPv4 4981 TCP *:846 (LISTEN)
Seems like it's accepting unsolicited data from the network. I always
disable those services when I do new installs.
> The default firewall configuration does block it too.
True, though, like I said before, think multi-layer security.
/abo
More information about the fedora-list
mailing list