ZeroConf in Ubuntu Edgy

[Trent Lloyd]

Hi Krishna,

On Sun, Jul 02, 2006 at 11:02:05PM -0500, Krishna Sankar wrote:
> > Zeroconf is simply too scary to enable by default, but I can 
> <KS>
> If so, how is apple mitigating the risk ? If it is OK for Apple, why not for Ubuntu ? 
> 
> Also, in case of home users, no admin exists and no workstation rollouts. 
> 
> We can always give a warning, and allow ZeroConf to be opened. But that does not solve any problem - just shifting the responsibilities. What would a poor home user know or can do about firewalls and ports that we cannot do ? 
> 
> IMHO, we should find a way to enable ZeroConf, make proper assumptions and add the right amount of safety, which I think is what Apple does. I still haven't gotten a well rounded answer as to Apple's setup in this regard, so don't know if it is true.
> 
> We can still get the user's permission to open it, but not as a way of shifting the burden. We should do this only IF we are comfortable enabling ZeroConf. An anemic "we are not OK with it, but if you want we will open it for you" is not a solution.

As far as I can see, there are two potential security concerns with
zeroconf

 1) Information Disclosure
 2) Application Secrurity Vulnerability

1)

The former is clear cut, zeroconf publishes information about you on a
network, in a standard avahi setup it's quite easy to see that your
computer is on the network, what you have named it, and what your MAC
address is.

Further from that particular applications may choose to publish
information, your music collection, or a shared document etc.

Obviously there are various concerns here, number 1 they might get to
knwo my name because by computer is called 'trentlloyd-laptop' by
default with the new dapper installer.

Secondly the RIAA might find out that I'm sharing 1000's of illegal
music files and sue me (and then I sue ubuntu or something silly :)

====

2)

Totally separately, as with every application, Avahi may have a security
vulnerability, with it listening on the network (as required for
zeroconf) this could be exposed and allow an attacker access to my
system.

Avahi has been pretty good so far, there have been a couple problems,
nothing that has come out as exploit thus far.

We also take reasonable measures to secure ourselves against these, such
as having the avahi daemon chroot()d into a relatively useless
directory, and having it run as the 'avahi' user and not root.

Which brings us to the no open ports policy, having this policy means
that, out of the box, no ubuntu system is vulnerable, which is a good
albeit somewhat prohibitive policy.

As far as I am aware the no open port policy is not up for debate, what
we need to be concentrating on is an _easy_ way to enable zeroconf, I
think that firewalls or allowing private iPs or MACs, etc are all silly,
and that at the very basic level zeroconf should just me a 

[X] Enable network service discovery

in the network settings applet.

The former issue about information disclosure is also very relevant, and
we should be fully aware of the information that is published by
default, and easily published with the most common (or even all)
zeroconf-using applications.

Cheers,
Trent


> </KS>
> Cheers
> <k/>
> 
> > -----Original Message-----
> > From: ubuntu-devel-bounces at lists.ubuntu.com 
> > [mailto:ubuntu-devel-bounces at lists.ubuntu.com] On Behalf Of Dan Kegel
> > Sent: Sunday, July 02, 2006 8:27 PM
> > To: Daniel Pittman
> > Cc: ubuntu-devel at lists.ubuntu.com
> > Subject: Re: ZeroConf in Ubuntu Edgy
> > 
> > Zeroconf is simply too scary to enable by default, but I can 
> > imagine that an admin who was into it could easily enable it 
> > when rolling out workstations...
> > 
> 
> 
> -- 
> ubuntu-devel mailing list
> ubuntu-devel at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel

-- 
Trent Lloyd <lathiat at bur.st>
Bur.st Networking Inc.