[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: httpd installed by default on desktops! bad gnome-user-share, bad!



On Mon, 2007-04-09 at 12:34 -0400, Matthew Miller wrote:
> On Mon, Apr 09, 2007 at 12:06:14PM -0400, Jesse Keating wrote:
> > Perhaps this conversation belongs in upstream gnome, but it starts an http 
> > session AS the user for the specific directory the user wants to share.  
> > Other than the knee jerk "OMG http is running!" reactions, what is the major 
> > problem here?
> 
> We've come a long way in reducing out-of-the-box vulnerabilities in Fedora
> since the Red Hat Linux days. SE Linux and other "overlay" security measures
> are good, but the major factor is: don't install complicated network servers
> by default. This is serious backsliding.
> 
> We can count on everyone applying security updates for supported releases.
> (Of course we can!) But, every couple of days someone on fedora-list posts
> questions about Fedora Core 4 or older. "It works fine, I can't bother to
> upgrade right now." The more stuff like this we ship, the more those people
> are going to be part of botnets.
> 
> We can say "tough, their problem" -- just like historically a certain big OS
> vendor I hate to bring into the conversation for Godwin's law-related
> reasons -- but that's irresponsible. If we stop caring about this issue,
> it's only a matter of time before "Linux Security Worse than Proprietary OS
> / Linux-based Worm Brings Down The Internets!" is the headline news -- and
> it'll be right.

Would you be happier if turning on file sharing started a custom-written
HTTP server hacked up just for the purpose?

 If so, why?

 If not, what's the problem? (*)

The long-standing policy is that installing httpd doesn't start httpd
as a system service, so in either case, we are talking about a server
process running as the user serving a very limited set of files. The
only difference I see is that using Apache HTTP, we use a much more
tested and mature code base.

						- Owen

(*) Saying that user file sharing is a bad idea and shouldn't have been
    done to begin with isn't a useful response here.



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]