Bug 488705 - When Samba Is Installed, Firewall Ports Are Not Automatically Opened
Summary: When Samba Is Installed, Firewall Ports Are Not Automatically Opened
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: system-config-firewall
Version: 10
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Thomas Woerner
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-03-05 10:50 UTC by William Golden Wilkins
Modified: 2009-03-17 13:04 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-03-17 13:04:09 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description William Golden Wilkins 2009-03-05 10:50:47 UTC
When installing Fedora 10, if a user indicates they want Samba installed, during the package selection process, it is installed correctly, but the appropriate ports for it to be used are not automatically opened in the firewall.

This is not a huge problem, but it is moderately annoying, as it adds an extra few steps to the process of setting up a Fedora fileserver for use in Windows environments.  It is also likely to drive new users (i.e. Windows power users trying out Linux for the first time, for use at their house, or inadept Windows sysadmins with no Linux knowledge or troubleshotting skills) insane.

The solution would be for F10 to automatically unblock ports related to services that are installed either via the installation media or yum.

Comment 1 Simo Sorce 2009-03-05 13:28:49 UTC
This is not a samba bug, and I think it's not a bug at all, but if there is a package that may get it, it is probably system-config-firewall, reassigning.

Comment 2 William Golden Wilkins 2009-03-06 12:55:32 UTC
Sorry about that, and thank you very much.   I wasn't aware what specifically this would fall under, and this was my first bug report.

I do feel this should be fixed, as when you install a package that enables a service, like samba, or something like VNC, or whatever, the appropriate ports should be opened automatically.  What would be even nicer would be if uninstalling said service closed said ports automatically.  This would save sysadmins a lot of time, and also really help out some of our novice users, who are eaisly pwned by stuff like this.

Comment 3 Thomas Woerner 2009-03-06 13:18:34 UTC
Please think about this: The user is installing package X, that has a requirement to package Y. He uses some functionality from package X and does not know about package Y. Package Y is magically opening some ports in the firewall without his notice and is also starting a service which makes the files in his home directory readable (and maybe writable) for everyone connecting to the now open ports.

Is this really what you like to have? Is this really what a novice user would expect?

There are even other things: What if the user has a trusted network and he only wants to have the service usable for this network? Opening the service for everyone would also be unexpected for this user.

Comment 4 William Golden Wilkins 2009-03-06 23:53:28 UTC
I would argue that the above behavior is desirable.

Consider this scenario:

A user (either a novice, or a professional sysadmin) installs a web application that of course depends on apache, PHP, et cetera, and uses SSL encryption.  Thus ports 80 and 443 must be opened. At present, the experienced sysadmin would also have to take the time to open the ports manually, although he at least would know to do it (and if he was scripting an automatic install of this, he'd also have to bother to add some lines to his script to do this for him, and test those lines, among other bits of annoyance.  The novice user will, on the other hand, be flummoxed, and will waste some length of time searching for help via Google, IRC, the forums, and other means.  This is a routine occurance, and anyone who has spent any length of time on Freenode, for example, can attest to its regularity, not just with Fedora, but with several other OSes.

Opening the ports automatically would be a huge leap forward in terms of convenience.

Now, you do raise a legitimate concern about users inadvertantly opening ports, and inadvertantly creating security holes, and also how this could go against the wishes of people who want to limit access to a given port based on the originating network.

The trick here, in my mind, would merely be to disclose to the user that these actions have occured.  I'm not sure if RPM in fact supports the ability to do this, although coming from FreeBSD land, their ports and packages routinely display post install messages (for example, installing vim brings up a warning message about security risks involving Showmode and trojaned text files).

In this manner, users would be aware that ports had been opened, and thus would be cued in to the need to perform any additionally required firewall configuration steps in order to comply with their preferred network security policy.

Comment 5 Thomas Woerner 2009-03-17 13:04:09 UTC
If you are opening ports because a service is installed in the system without the need to be configured at all, then you can disable the firewall completely, because it results in exactly the same: Everything is open and everything is possible.

A very good example against opening ports of services automatically is a notebook with a local database containing private data, which will be exposed even to a wireless connection in an internet cafe if ports are openend automatically for all interfaces. This is a very bad situation and the user will not expect this behaviour at all. 

It also makes a big difference for services if you want to be a client or server. Automatic port opening will have to open all ports, even the server ports. Unexpected sharing of information with the world is not what a user expects.

Asking the user in the post script of the installation of every service will make an automatic installation process impossible. Please think of kickstart installations. A simple warning message in the post script will not be seen at all for example in anaconda. Therefore the user will not know about it.

This is not a bug in my opinion, because disabling security mechanisms is a big risk.


Note You need to log in before you can comment on or make changes to this bug.