1 |
One more ¢… |
2 |
|
3 |
On 12/04/2014 08:37 PM, Christopher Head wrote: |
4 |
> On December 4, 2014 8:12:58 AM PST, Andrew Savchenko |
5 |
> <bircoph@g.o> wrote: |
6 |
>> |
7 |
>> Yes. But booting as much services as possible is even more |
8 |
>> preferable, especially when box is remote. |
9 |
> |
10 |
> Are you sure booting most, but not all, services in a loop is always |
11 |
> better than booting none of them at all? What if I have an insecure |
12 |
> dæmon listening on TCP, I need it running, but I want to ensure only |
13 |
> local processes can connect to it? Obviously, I would make it “need |
14 |
> iptables”, assuming the dæmon doesn’t have its own bind address |
15 |
> config knob. |
16 |
> |
17 |
> What if now, by some accident, iptables ends up in a loop (maybe not |
18 |
> even a loop including $insecure_service, but some other loop |
19 |
> entirely), and it’s the randomly chosen victim? Is it still good to |
20 |
> boot as many services as possible? I think not. |
21 |
|
22 |
> I would make it “need iptables” |
23 |
|
24 |
Firstly, the loop solver doesn't remove "need" dependencies [1]. There |
25 |
will be no problem. |
26 |
|
27 |
[1] |
28 |
https://github.com/xaionaro/documentation/blob/master/openrc/earlyloopdetector/early-loop-detection.pdf |
29 |
|
30 |
But there are few ways to bypass such problems. For example: |
31 |
- Don't enable the option in this case. You should understand |
32 |
consequences of enabling any non-default option. Also for example |
33 |
sysadmin shouldn't setup public sshd with pass "test" on root. Here's |
34 |
the same. It's just required to understand what are you doing. |
35 |
- Use network namespaces for insecure processes without ability to |
36 |
setup the bind address. And use iptables to redirect to the real |
37 |
listening port (in the namespace). |
38 |
|
39 |
|
40 |
Best regards, Dmitry. |