Poettering's Beef
|
| Author | Content |
|---|---|
| SFN Jul 27, 2006 4:29 AM EDT |
The post isn't a question of whether or not "No Open Ports" is a good idea. That would actually be a very good question, as highlighted by the CUPS situation mentioned in the other blog. Specifically, Poettering says: Quoting:It is not my intention to force anyone to use my software. However, enforcing the "No Open Ports" policy unconditionally is not a good idea. Currently Ubuntu makes exceptions for DHCP/DNS and so it should for mDNS. So the point is to allow mDNS. What advantages are offered by opening mDNS other than allowing Zeroconf/Avahi to run? I honestly don't know the answer to that. Assuming there are other advantages, it seems to me that, rather than open up mDNS for everyone no matter what, the way to handle that would be to add a question to the installer that says something like, "would you like to be able to [do the various things that having mDNS open allows you to do]?" |
| tuxchick2 Jul 27, 2006 5:26 AM EDT |
SFN, you are right. He misses the main point- the most fundamental security principle which is "deny all, allow as needed." First of all, Zeroconf on Linux mostly doesn't work, and is a pain to set up. Secondly, enabling it by default is just plain dumb. Better to have an "on" switch for users who want it. Maybe someday it will be ubiquitous, but at the moment it's more of a curiosity. (See http://www.enterprisenetworkingplanet.com/netos/article.php/... for a Zeroconf in linux howto) I don't like that a DHCP client runs by default, but for most folks it's such a fundamental protocol it makes sense to have it. Grumpy old pharts like me can turn it off. |
| SFN Jul 27, 2006 5:57 AM EDT |
Quoting:I don't like that a DHCP client runs by default, but for most folks it's such a fundamental protocol it makes sense to have it. Right. And that's where the stuff about CUPS comes into play. Quite frankly, I'd rather turn it on myself if I need it but the average user does need it and will want it. |
| dcparris Jul 27, 2006 12:53 PM EDT |
I agree with the "deny all, allow as needed" attitude. |
| jimf Jul 27, 2006 12:58 PM EDT |
> I agree with the "deny all, allow as needed" attitude. I just think you need to make the on off option obvious. |
| grouch Jul 27, 2006 1:00 PM EDT |
dcparris: tuxchick2 just slashes things down to the essentials. The traditional phrasing is: "That which is not explicitly allowed is denied." Poetry *is dying*. |
| Sander_Marechal Jul 27, 2006 1:59 PM EDT |
I wonder, can't all this stuff be autodiscovered during install? E.g, during install the DHCP client pings the network. If a DHCP server is found, an option is presented to the user: "Should this computer be automatically connected to your network?" Same for CUPS "There are network printers available in your network. Do you want to enable network printing by default?" Or Avahi "The local network offers services to your computer. Do you want them detected automatically?" Surely it doesn't take a genius to implement such a system. |
| tuxchick2 Jul 27, 2006 2:09 PM EDT |
grouch, I can't take credit for it. Read it in a book somewheres. A book. You know, those paper things? Sander, that would be ever so sensible. So it will never happen. :) On some installers, just escaping the clutches of DHCP is a near-heroic feat. Like Ubuntu Dapper server- why is DHCP the first option? For a server??? And why do you have to hit 'cancel' to get to manual configuration? It doesn't look like 'cancel the damned DHCP' but 'cancel network configuration.' ow ow ow. |
| grouch Jul 27, 2006 2:40 PM EDT |
tuxchick2: >"A book. You know, those paper things?" Tree murderer! Besides, it's too much work to turn those pages. Can't I just click something? |
| jdixon Jul 27, 2006 3:15 PM EDT |
> Tree murderer! Electron abuser! |
| pcatiprodotnet Jul 27, 2006 7:11 PM EDT |
Good grief. Keep it secure, but when the user decides to print for the first time, simply ask the user to choose between "easy network printing" and "ultra-security". Problem solved. |
| jimf Jul 27, 2006 7:19 PM EDT |
> choose between "easy network printing" and "ultra-security". Problem solved. I agree. |
| dinotrac Jul 28, 2006 3:19 AM EDT |
>Problem solved. So you say. Query me this, Batman: Here sit I, poor non-technical home user who just happens to have three computers: One for me, one for my wife, and one the kids share. We are always hooked to the internet. I don't have three printers, just one. So...I get to choose between easy and secure? In other words, to get my printer working, I have to give up my security and let all those dirty rotten hacker types plunder my machines? I don't think so, pal. Maybe I should have used Windows....It doesn't tell me to choose between easy and secure. (Editorial note:OK, so that's only because it doesn't offer secure, still....) |
| Sander_Marechal Jul 28, 2006 3:34 AM EDT |
Dinotrac: The question for he user would probabely be: "You tried to print but you do not have a printer attached. Do you want me to scan the network for network printers? Y/n" |
| dinotrac Jul 28, 2006 6:33 AM EDT |
That would be much better... Sounds like you understood the point, which is.... Most users are not developers and it's not quite so simple as "problem solved". What we say and how makes a big diff. |
| jdixon Jul 28, 2006 7:05 AM EDT |
> "You tried to print but you do not have a printer attached. Do you want me to scan the network for network printers? Y/n" That will work, yes. But if your other machine is also Ubuntu, then the printer won't be available to find. :( It also needs to ask, "You have a printer. Do you wish to make it available to other machines on your network? y/N". |
| Sander_Marechal Jul 28, 2006 8:25 AM EDT |
No it doesn't have to ask that. Recognising existing printers should "just work", but I expect from a user willing to set up network printing that he can read the new user's guide wich could say something like:Quoting: Sharing a printer over the network After that, cups should be automatically set up in the background, no questions asked. |
| tuxchick2 Jul 28, 2006 8:43 AM EDT |
As far as security goes, CUPS has access controls, so you can limit access to your local subnet. This is the bit that needs to be default, not shutting off networked printing entirely. This howto, by the fabulous goddess Carla Schroder, gives an example CUPS config that shares LAN printers and restricts printer administration to the machine it's connected to:
http://www.enterprisenetworkingplanet.com/netsysm/article.ph... This article tells how to deal with Ubuntu-specific gotchas: http://www.enterprisenetworkingplanet.com/netos/article.php/... So, until devs wise up to designing good sensible interfaces like the ideas in this thread, this is the next best thing. |
| jimf Jul 28, 2006 9:21 AM EDT |
> by the fabulous goddess Carla Schroder Talk about shameless plugs :D |
| tuxchick2 Jul 28, 2006 9:29 AM EDT |
Not at all. I am deeply ashamed. Oh, if only I could keep a straight face. |
| dinotrac Jul 28, 2006 9:37 AM EDT |
> by the fabulous goddess Carla Schroder Merely fabulous, Carla? Feeling a bit humble today, I see. |
| jimf Jul 28, 2006 9:42 AM EDT |
> Merely fabulous, Carla? You missed the 'goddess" part dino? |
| dinotrac Jul 28, 2006 9:45 AM EDT |
>You missed the 'goddess" part dino? Goddess is presumed. We know Carla would never stoop to being a mere goddess. I'm surprised she settles for fabulous. |
| tuxchick2 Jul 28, 2006 10:03 AM EDT |
No need to belabor the self-evident. |
| jdixon Jul 28, 2006 10:26 AM EDT |
> Recognising existing printers should "just work", But it won't unless the second step has been taken. > but I expect from a user willing to set up network printing that he can read the new user's guide wich could say something like: Does it? If not, then the new user will have no idea it needs to be done, and the printer he wishes to use won't be available. Whether or not to allow network access to a printer is probably something that should be asked when the printer is installed or during the initial system install, not just available later via the admin tools. |
Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]
Becoming a member of LXer is easy and free. Join Us!