can we find a solution to bug #820895 (show Process Name in log files) (imaginative solution/description presented)?
nick rundy
nrundy at hotmail.com
Fri Jan 27 05:12:30 UTC 2012
Yes, good insights, Robbie.
Just to be clear, I'm not asking that an application-firewall (as Jason Todd was speaking of) be created to solve this problem. I'm totally fine with a solution that doesn't involve a
firewall. It's just that an application firewall allows me to solve this
problem when I use Windows, so it is the only base of reference I have to speak to.
I simply am asking that some way be created to give users a user-friendly, in-your-face way to learn/discover/record/log what applications and/or system-processes are making internet connections and/or are being blocked from making internet connections (e.g., by GUFW when it is set to block outgoing connections).
One way to solve this problem (as envisioned in my imagination without any insight into the technical feasibility of it) would be to design some sort of "Indicator" that appears on the titlebar of an application's window. For example, in the upper right corner of the titlebar, an internet-connection-icon would display if the app is trying to connect or is actually connected to the internet. If the app is not connecting nor trying to connect to the internet then this icon would change its appearance. This Indicator would solve my problem because it provides a user-friendly, in-your-face, understandable way for users to quickly ascertain the "internet-connection-state" and "internet-connection-behavior" of an application.
Here's an example of how this can be directly used in the real world: first, say I use a Mobile Broadband internet connection that only gets so much GB a month. And to try to conserve bandwidth I only want internet connections that I deem "worthwhile" to occur. If I ONLY use RhythmBox to play MP3s that live on my harddrive, I do not need (nor want) Rhythmbox to make an internet connection when I open and use the application. All I'm using it for is to play MP3s from my harddrive. What does it need to connect to the internet for? So I need an easy and "in your face" way to discover if & when Rhythmbox is making an internet connection. If I open Rhythmbox and start playing an MP3 and notice that Rhythmbox is making an internet connection, then I know that I need to go into the Rhythmbox settings and configure it to NOT make those internet connections. If Rhythmbox's settings do not allow for such configuration, I know that I should select a different application for playing my music with (i.e., one that does allow such configuration).
To further support my case, I offer that with Ubuntu One and other cloud services growing in popularity, I think it makes sense for users to have a user-friendly way to be able to keep abreast of the "internet-connection-state" and "internet-connection-behavior" of their applications & system.
Thank you so much for reading/listening to my concerns on this issue. I hope I have been clear in my descriptions :-)
> Date: Thu, 26 Jan 2012 15:30:52 -0600
> From: robbie at ubuntu.com
> To: jtodd929 at hotmail.com
> CC: nrundy at hotmail.com; ubuntu-devel-discuss at lists.ubuntu.com
> Subject: Re: can we find a solution to bug #820895 (show Process Name in log files)?
>
> Seems to be 2 separate issues in this thread:
>
> 1) Our system logging for firewall issues only logs PIDs via iptables
> with no program name. Given other applications like netstat and nethogs
> can do this, I think it's something we should try and work with upstream
> to address. (my $0.02)
>
> 2) Users can't firewall based on applications. I could be completely
> wrong here, but I believe AppArmor[1] provides this functionality via
> profiles. While not as simple as adding an application to a list, it
> might be an alternative solution until there's an easier way to do this.
>
> http://manpages.ubuntu.com/manpages/hardy/man5/apparmor.d.5.html
>
> -Robbie
>
> On 01/26/2012 02:51 PM, Jason Todd wrote:
> > Nick, the package is called "acct" all by itself.
> > IMHO it will not solve the problem you are facing. I have tried it and
> > it is not "user-friendly" compared to what you are used to. I have
> > watched numerous people go back to Windows largely because of user
> > frustration/inability to discover/control what applications can and
> > cannot internet connect. I remember reading one review of ubuntu where
> > the reviewer hooked up some friends with 11.04 to get their opinions.
> > One of the things the friends complained about was only having control
> > of ports (and not applications) in the firewall. I could have swore it
> > was at tomshardware.com. I've searched but can't find the review. It was
> > back around the time 11.04 came out.
> > The way Linux deals with applications and internet connections has not
> > evolved to a consumer-desktop-level. In an age where privacy and
> > security are very important, it's going to need to address this to gain
> > more users. I was sad to see Bug 820895 marked as Won't Fix.
> >
> > I personally tried to get my friend to start using ubuntu. But he grew
> > frustrated with no application firewall capabilities. He posted in the
> > ubuntu-forums on the issue and it generated a long discussion but
> > ultimately turned into a big mess where lots of ubuntu users were
> > calling him an idiot and saying that Windows uses an application
> > firewall because Windows sucks. The thread was closed and my friend went
> > back to Windows feeling like ubuntu is only for programmers and everyone
> > that uses Ubuntu thinks he's stupid cause he wanted an application firewall.
> >
> > ------------------------------------------------------------------------
> > From: nrundy at hotmail.com
> > To: psusi at ubuntu.com; ubuntu-devel-discuss at lists.ubuntu.com
> > Subject: RE: can we find a solution to bug #820895 (show Process Name in
> > log files)?
> > Date: Thu, 26 Jan 2012 10:16:22 -0500
> >
> > Philip, thanks for your reply. I greatly appreciate it. You said,
> >
> >>>>If you don't like the connections a program makes, then configure it
> > not to do so. If you can't do that, then don't run such a bad program.>>>
> >
> > This is what I'm trying to do on Ubuntu! :) if I can't log the process
> > name, How do I learn what connections a program is making so that I can
> > configure that program to not make those connections? You see the problem?
> >
> > For over a year I have been struggling (on Ubuntu) with a way to
> > identify the connections programs are making so that I can do what you
> > say: configure it not to make those connections or to uninstall the
> > program if I deem it a "bad program." This is a non-issue on Microsoft
> > Windows because I can easily identify connections programs are making
> > and I can KNOW the comings and goings on my computer as it is all logged
> > with Application Name in the firewall log. One of the criteria I use to
> > select which applications I install and run is "internet connection
> > behavior." It has been very difficult selecting applications I prefer in
> > Ubuntu because I am forced to sit and watch netstat while trying to
> > accomplish things. What I have ended up doing is (when available)
> > installing the same program on Windows, study the firewall log in
> > Windows and then deeming it a "good" or "bad" program for use in Ubuntu.
> > So I am still seeking a solution on Ubuntu. If there's some other way to
> > accomplish what I'm after (than using a Firewall Log), I will use it.
> > But I have yet to find as reasonable a solution on Ubuntu. As others
> > have remarked in forums etc, this is becoming an increasing priority in
> > order to manage Mobile Broadband internet connection usage as the
> > accounts come with bandwidth caps where users are charged a lot of extra
> > money if they exceeds the caps.
> >
> > I will investigate using acct package, is this the name ("acct" or "acct
> > package") I should search for in Synaptic? I have not tried this as a
> > solution and really appreciate your suggestion.
> >
> >
> >
> >> Date: Wed, 25 Jan 2012 19:55:18 -0500
> >> From: psusi at ubuntu.com
> >> To: nrundy at hotmail.com
> >> CC: ubuntu-devel-discuss at lists.ubuntu.com
> >> Subject: Re: can we find a solution to bug #820895 (show Process Name
> > in log files)?
> >>
> > On 01/25/2012 06:22 PM, nick rundy wrote:
> >> Is there anything that can be done to create some way for Ubuntu
> >> users to get the capability of having a static record of what
> >> application/s made an outgoing connection?
> >
> > That would require a change to the iptables kernel module that
> >> implements process based rules. Last I saw, it wasn't really maintained
> >> because the whole concept is considered broken by design. In other
> >> words, you shouldn't be setting rules based on processes.
> >
> > Needing an external firewall to control network activity of a program
> >> in the first place is the result of using badly behaved closed source
> >> programs, and so it largely a non issue for the open source community.
> >
> >> The capability to log "process names" has been requested by numerous
> >> users over the years, here's some links:
> >
> > If you want to log what processes are run and when in general, then
> >> you can install and configure the acct package. You could then use the
> >> accounting information to look up what process had a given pid at a
> >> given time.
> >
> >
> > -- Ubuntu-devel-discuss mailing list
> > Ubuntu-devel-discuss at lists.ubuntu.com Modify settings or unsubscribe at:
> > https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
> >
> >
>
> --
> Robbie Williamson <robbie at ubuntu.com>
> robbiew[irc.freenode.net]
>
> "Don't make me angry...you wouldn't like me when I'm angry."
> -Bruce Banner
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-devel-discuss/attachments/20120127/cee68fd6/attachment.html>
More information about the Ubuntu-devel-discuss
mailing list