Bug 461695 - system-config-securitylevel allows implicit access to CUPS,multicast and IPsec protocols
system-config-securitylevel allows implicit access to CUPS,multicast and IPse...
Status: CLOSED NEXTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: system-config-securitylevel (Show other bugs)
5.2
All Linux
medium Severity high
: rc
: ---
Assigned To: Thomas Woerner
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-09-09 18:56 EDT by Steven Roberts
Modified: 2012-01-30 02:36 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-10-15 21:20:13 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Steven Roberts 2008-09-09 18:56:36 EDT
Description of problem:
system-config-securitylevel generates default ACCEPT rules for ipsec protocols (proto 50,51 -- at least I think 51 is ipsec as well, 50 is), multicast DNS (udp 5353), and CUPS (tcp/udp 631)

here are the lines from /etc/sysconfig/iptables
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT

Version-Release number of selected component (if applicable):
system-config-securitylevel-tui 1.6.29.1-2.1.el5
likely in the common code so the GUI versions have the same issue

How reproducible:
Very

Steps to Reproduce:
1. run system-config-securitylevel-tui
2. look at /etc/sysconfig/iptables
3. or run iptables -n -v -L
  
Actual results:
those holes are present

Expected results:
only the services I selected would be opened up.

Additional info:
for Linux machines I am deploying as routers I don't use  system-config-securitylevel or the iptables 'service' (the /etc/rc.d/init/iptables script) I replace them.  on more normal hosts however, I was going to give the stock firewall support a try.

the tool has configurations to allow these services for incoming: SSH, HTTP,HTTPS,telnet,Samba, NFS4,FTP,SMTP

I was a bit surprised that ipsec/VPN, CUPS, and DNS were not listed services and were just on by default.
Comment 1 Stefan Orbilt 2008-10-03 11:35:48 EDT
I just noticed this too when I used the system-config-securitylevel GUI. The same ports are opened for me with no option to turn them off.
Comment 7 RHEL Product and Program Management 2009-03-26 13:10:26 EDT
This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release. If you would like
this request to be reviewed for the next minor release, ask your
support representative to set the next rhel-x.y flag to "?".
Comment 8 Stefan Orbilt 2009-03-26 13:43:44 EDT
Well I wouldn't want to waste the time you should be spending on updating PHP and SSHD to the next major versions so by all means, leave this hole wide open.
Comment 9 Wade Mealing 2009-03-26 21:27:10 EDT
Gday Stefan,

Speaking from what I know, rather than as for Red Hat.  The usual plan is not to update versions of products to provide a stable and sane tested platform for customers to deploy their products.   Updating these versions mid stream would be against this and would probably cause a lot of heart ache for a lot of people.

Be this a security hole or not changing the defaults will result in a behaviour change and will break existing configurations. Adding new options to close these defaults, will result in big code changes in C and Python.

This is already changed in Fedora and these changes in flow will result in the modifications being in Red Hat Enterprise Linux 6.
Comment 10 Stefan Orbilt 2009-03-27 04:26:13 EDT
Hi Wade,

Thanks for your reply! I guess it makes sense to wait for the next major release then. I am very much looking forward to RHEL 6, I just hope it makes it out this year.
Comment 17 RHEL Product and Program Management 2010-08-09 15:19:54 EDT
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
Comment 19 RHEL Product and Program Management 2011-05-31 10:39:49 EDT
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
Comment 20 David Mair 2011-10-15 21:20:13 EDT
Closing this out as it has been fixed with system-config-firewall in RHEL6 and beyond. This is not a priority for RHEL5. If you feel this is incorrect please open a support case with Red Hat at access.redhat.com.
Comment 21 Steven Roberts 2012-01-30 02:36:23 EST
I'm fine with it being in EL6.  I have the work around for EL5 in place already, but nice to not have to have it in EL6.

I did test in EL6 and looks good.  only thing default is icmp and that can be disabled.

Note You need to log in before you can comment on or make changes to this bug.