RE: Default Fedora installation suffers from egregious configuration flaw

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Ya but everyone has to physically pop the dvd or usb drive into their computer and start anaconda right?  So surely they can just "useradd whoever" from the command line or start sshd on their own when it comes to that.  It doesn't make sense to me to have a widely agreed upon unsafe sshd setting on by default just to accommodate the convenience of a likely minority amount of users installing a headless server... especially considering those advanced users are best able to start sshd on their own and configure the firewall etc for their needs.  At least when logging into gnome for the first time they could popup a message saying "by the way you should probably change your firewall unless you want to be hacked", if they really want to keep that option

Date: Thu, 19 May 2011 11:49:02 -0600
From: kevin@xxxxxxxxx
To: aragonx@xxxxxxxxxx
Subject: Re: Default Fedora installation suffers from egregious configuration flaw
CC: security@xxxxxxxxxxxxxxxxxxxxxxx

On Thu, 19 May 2011 13:40:47 -0400
aragonx@xxxxxxxxxx wrote:

> Isn't that only part of the
> solution?  Why would we ever need to have PermitRootLogin to
> true?  My memory is a little rusty but I'm pretty sure the install
> forces the creation of a user account. 

No, it does at firstboot.

If you install a headless machine, you have no way to make a user
without logging in as root and making one.

> I've never done a
> headless install so I know nothing about how that works.  However, we
> shouldn't let a minority of installations compromise the security of
> the majority.  As someone has already pointed out, can't they have a
> different spin to allow whatever they might need?

I think there are solutions to this, but they should be worked with the
anaconda folks, rather than here. ;)

> Are there any
> other services that are listening by default and allowed through the
> firewall?  I believe there should be none of either.  However, I
> have been called paranoid in the past.  :)

Nope. Not on a default install anymore I don't think...


-- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx
security mailing list

[Home]     [Fedora Legacy List]     [Fedora Maintainers]     [Fedora Desktop]     [Red Hat 9 Bible]     [Fedora Bible]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Coolkey]     [Fedora Tools]

Powered by Linux