| 1 |
One more ¢… |
| 2 |
|
| 3 |
On 12/04/2014 08:37 PM, Christopher Head wrote: |
| 4 |
> On December 4, 2014 8:12:58 AM PST, Andrew Savchenko |
| 5 |
> <bircoph@g.o> wrote: |
| 6 |
>> |
| 7 |
>> Yes. But booting as much services as possible is even more |
| 8 |
>> preferable, especially when box is remote. |
| 9 |
> |
| 10 |
> Are you sure booting most, but not all, services in a loop is always |
| 11 |
> better than booting none of them at all? What if I have an insecure |
| 12 |
> dæmon listening on TCP, I need it running, but I want to ensure only |
| 13 |
> local processes can connect to it? Obviously, I would make it “need |
| 14 |
> iptables”, assuming the dæmon doesn’t have its own bind address |
| 15 |
> config knob. |
| 16 |
> |
| 17 |
> What if now, by some accident, iptables ends up in a loop (maybe not |
| 18 |
> even a loop including $insecure_service, but some other loop |
| 19 |
> entirely), and it’s the randomly chosen victim? Is it still good to |
| 20 |
> boot as many services as possible? I think not. |
| 21 |
|
| 22 |
> I would make it “need iptables” |
| 23 |
|
| 24 |
Firstly, the loop solver doesn't remove "need" dependencies [1]. There |
| 25 |
will be no problem. |
| 26 |
|
| 27 |
[1] |
| 28 |
https://github.com/xaionaro/documentation/blob/master/openrc/earlyloopdetector/early-loop-detection.pdf |
| 29 |
|
| 30 |
But there are few ways to bypass such problems. For example: |
| 31 |
- Don't enable the option in this case. You should understand |
| 32 |
consequences of enabling any non-default option. Also for example |
| 33 |
sysadmin shouldn't setup public sshd with pass "test" on root. Here's |
| 34 |
the same. It's just required to understand what are you doing. |
| 35 |
- Use network namespaces for insecure processes without ability to |
| 36 |
setup the bind address. And use iptables to redirect to the real |
| 37 |
listening port (in the namespace). |
| 38 |
|
| 39 |
|
| 40 |
Best regards, Dmitry. |
Archives