From Fedora Project Wiki
(Add page about privacy and security of running avahi by default)
 
(Cleanup, typos)
Line 1: Line 1:
= Avahi by Default on the Desktop =
= Avahi by Default on the Desktop =


'''Note:''' this is not an opinion piece, but do feel free to contribute with actual facts or research.
'''Note:''' this is not a place to gather opinions, but please do contribute with actual facts or research.


== Use case ==
== Use case ==


* User is in at home or in a print shop (like Kinkos) and wants to print to a new printer.
* User is in at home or in a print shop (like Kinkos) and wants to print to a printer for the first time.
* Opens "Printers" to add a new printer.
* Opens "Printers" in System Settings to add a new printer.
* Printer is advertised using MDNS and user sees it, clicks on it to install.
* The printer is advertised using MDNS and user sees it displayed, clicks on it to install.


Currently this does not work in Fedora. Avahi is blocked by our firewall by default. Obviously many printers don't use MDNS. This is about MDNS and our implemantation: Avahi.
Currently this does not work in Fedora. Avahi is blocked by our firewall by default. Obviously many printers don't use MDNS. This is about MDNS and our implementation: Avahi.


Note that a firewall is orthogonal this use case, even when zones are implemented. We want printers to be discoverable from the "Printers" control panel even on hostile networks. The user should not have to type their root password for a polkit prompt to see printers on the network. Neither should they have to disable their firewall or play with it.
Note that a firewall is orthogonal this use case, even if security "zones" were implemented. We want printers to be discoverable from the "Printers" control panel even on possibly "hostile" networks. The user should not have to type their root password for a policy kit prompt to see printers on the network. Neither should they have to disable their firewall or otherwise diddle it.


If the current implementation of printer discovery using MDNS is not secure, it should be possible to make it secure and make this use case work.
== Goal ==
 
If the current implementation of automatic printer discovery using MDNS is not secure, it should be possible to make it secure and make the above use case work. If it is absolutely impossible to make it secure, then we want to discover exactly why.


== Privacy and Security Issues ==
== Privacy and Security Issues ==


Running Avahi by default, in its current state runs into security and privacy issues.
Running Avahi by default, in its current state, causes security and privacy issues.


We would like to enumerate those issues here, so that we can sufficiently neuter Avahi so that it can be run by default without a firewall and not pose any threat to the system. The end goal is to facilitate the above use cases, and others like it.  
We would like to enumerate those issues here, so that we can sufficiently neuter Avahi so that it can be run by default without a firewall and not pose any threat to the system. The end goal is to facilitate the above use cases, and others like it.  
Line 54: Line 56:
In theory, changing the results of resolver lookups can be a limited security threat, when running on a hostile network. However this is limited to <code>.local</code> by default.  
In theory, changing the results of resolver lookups can be a limited security threat, when running on a hostile network. However this is limited to <code>.local</code> by default.  


In addition if DHCP is used on the network in question (usually the case), then the attacker can simply push another DNS server to the client machine and attack using that vector instead.
In addition, if DHCP is used on the network in question (usually the case), then the attacker can simply push another DNS server to the client machine and attack using that vector instead.

Revision as of 20:35, 5 March 2012

Avahi by Default on the Desktop

Note: this is not a place to gather opinions, but please do contribute with actual facts or research.

Use case

  • User is in at home or in a print shop (like Kinkos) and wants to print to a printer for the first time.
  • Opens "Printers" in System Settings to add a new printer.
  • The printer is advertised using MDNS and user sees it displayed, clicks on it to install.

Currently this does not work in Fedora. Avahi is blocked by our firewall by default. Obviously many printers don't use MDNS. This is about MDNS and our implementation: Avahi.

Note that a firewall is orthogonal this use case, even if security "zones" were implemented. We want printers to be discoverable from the "Printers" control panel even on possibly "hostile" networks. The user should not have to type their root password for a policy kit prompt to see printers on the network. Neither should they have to disable their firewall or otherwise diddle it.

Goal

If the current implementation of automatic printer discovery using MDNS is not secure, it should be possible to make it secure and make the above use case work. If it is absolutely impossible to make it secure, then we want to discover exactly why.

Privacy and Security Issues

Running Avahi by default, in its current state, causes security and privacy issues.

We would like to enumerate those issues here, so that we can sufficiently neuter Avahi so that it can be run by default without a firewall and not pose any threat to the system. The end goal is to facilitate the above use cases, and others like it.

Privacy: PTR and HINFO records

By default Avahi publishes the following information.

  • Host name
  • CPU architecture, and system type (HINFO records)

Recommendation: Don't publish anything unless specifically approved by the user.

Privacy: SSH service

Installed by avahi package on Fedora.

Recommendation: Only advertise over Avahi when service is enabled. When service is enabled allow through firewall. Disable service by default.

Privacy: libvirt service

virt-manager can connect to it and show you the VM available on the remote system: http://virt-manager.org/page/LibvirtDiscovery

Recommendation: Disable remote VM access and discovery by default

Privacy: udisks service

Already removed in udisks2

Possible Security: nsswitch.conf integration

Unclear if this is a security problem.

With the nsswitch.conf integration, MDNS can affect the resolv lookups on the machine. This is limited to .local domains, and domains explicitly configured in avahi for MDNS.

In theory, changing the results of resolver lookups can be a limited security threat, when running on a hostile network. However this is limited to .local by default.

In addition, if DHCP is used on the network in question (usually the case), then the attacker can simply push another DNS server to the client machine and attack using that vector instead.