From Fedora Project Wiki

Revision as of 12:03, 14 July 2012 by Stefw (talk | contribs) (→‎Release Notes: Fix release notes)

Avahi by Default on the Desktop

Summary

Fedora should work out of the box discovering MDNS shared printers and other MDNS devices. The system should not publish any private information via MDNS by default, but MDNS should be available for device discovery by default for the Desktop install of Fedora.

In principle this is similar to how DNS lookups are enabled out of the box, and are taken for granted.

Owner

Current status

  • Targeted release: Fedora 18
  • Last updated: 2012-07-05
  • Percentage of completion: 70%

Research has been done, including being looked over by various Red Hat security people, and various commits have been made to address privacy and security concerns.

Detailed Description

Security and Privacy research done here

Use case:

  • User is in at home or in a print shop (like Kinkos) and wants to print to a printer for the first time.
  • Opens "Printers" in System Settings to add a new printer.
  • The printer is advertised using MDNS and user sees it displayed, clicks on it to install.

Currently this does not work in Fedora. Avahi is blocked by our firewall by default. Obviously many printers don't use MDNS. This is about MDNS and our implementation: Avahi.

Note that a firewall is orthogonal this use case. We want printers to be discoverable from the "Printers" control panel on any network, even on possibly otherwise "hostile" networks. The user should not have to type their root or login password for a policy kit prompt to see MDNS devices on the network. Neither should they have to disable their firewall or otherwise diddle it.

Unknown security bugs are accounted for by use of SELinux with the avahi daemon. Known privacy issues in avahi have been fixed.

No private information should ever be published by Fedora by default, whether via MDNS or any other mechanism. We have patched various applications to make sure this does not occur. The user should always be the one who turns on any publishing of information.

Please note that the system's hostname is not considered private information. This in formation is broadcast on the network by DHCP and other components. By connecting to a network using DHCP the expectation is that the user publishes their host name. This is the case for pretty much all mainstream OS's in their default configuration, including current releases of RHEL and Fedora.

GNOME is working on user interfaces for privacy and sharing, but that is not a part of this feature.

This is not about UPnP or other methods of device discovery. Future evaluation of these other methods would examine their features, privacy, and security on their own merit.

Benefit to Fedora

  • Fewer users will disable the firewall, leading to real world boost for security.
  • Fedora will be simpler for users to setup.

Scope

See the research for the various packages touched, and progress on that work.

Once these patches have gone in, we will update the installer comps data so that if the 'Desktop' component is selected on Fedora install, a relevant firewall with MDNS (udp port 5353) open by default will be installed by anaconda.

How To Test

  • Install a new fedora system.
  • Use the following command to verify that Avahi is running:
systemctl status avahi-daemon.service
  • Use the following to show that the 5353 port is open in the firewall:
system-config-firewall
  • Use the following command on another system on the network to show that no private information or additional services have been displayed.
avahi-browse --all

User Experience

Users will not be encouraged to disable the firewall. Fedora will be less abrasive for new users.

Dependencies

  • avahi
  • libvirtd
  • udisks2
  • system-config-firewall
  • anaconda

Contingency Plan

  • There are various fixes to packages so they do not publish information by default.
  • If these patches do not make it 'in', then we will not open avahi by default in the firewall.

Documentation

  • Research done here: [1]

Release Notes

  • When installing the "Graphical Desktop" software selection, an MDNS client is included. This allows out of the box discovery of devices on the local network. No private information is published via MDNS by default.

Comments and Discussion