Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 13 Sep 2000 22:43:13 -0400
From:      "Louis A. Mamakos" <louie@TransSys.COM>
To:        security@freebsd.org, ade@freebsd.org
Subject:   potential security exposure in GNOME/ORBit?
Message-ID:  <200009140243.e8E2hDG42233@whizzo.transsys.com>

next in thread | raw e-mail | index | archive | help

I did a quick search of the FreeBSD security mailing list archives, but
didn't see a discussion of this.  My apologies if this ground has been
covered.

I recently installed GNOME on my FreeBSD-current boxes, and noted that
a bunch of GNOME applications were listening on random TCP ports.  Some
investigation eventually revealed that this is intended to be used as
a rendezvous mechansim for the ORBit CORBA implemention.  Now, this
seemed like a strange default configuration, as the usual mode of 
these interactions on the same machine would appear to be UNIX domain
sockets created for this purpose.

Some discussion on the one of the GNOME mailing list archives spoke
to this; the arguments where one of either:

	1.  By default, a system out of the box shouldn't be listening
	on random ports in a way which makes it difficult to secure, or
	even necessary to have to secure.

or

	2.  Hey, it's not a bug, but a *feature* of ORBit that the
	CORBA thing work transparently and easily over the network,
	and not just on the local machine.  You can't just "fix" this
	for GNOME applications without "breaking" other applications
	that might use ORBit betwen machines.

The solution offered was that folks concerned about these ORBit based
applications waiting for connections could put

ORBIIOPIPv4=0
ORBIIOPIPv6=0

into /usr/local/etc/orbitrc to disable this behavior.  I've done this,
and the GNOME applications using ORBit continue to work, presumably
continuing to use the UNIX domain sockets created for the purpose.

So my question is related to what the default state should be when
someone installs the FreeBSD GNOME ports?  In my own case, I found it
surprising to find a bunch of processes (which probably haven't been
well audited for security issues) listening on random ports, just
waiting for a port scan.  As nothing else is using ORBit than these
local GNOME applications, I did the "fix" above and no more
ports waiting for connections from who knows where. 

I'd suggest that minimally there be a warning, or perhaps that the
orbitrc file be installed to turn off this "feature" when the 
devel/ORBit port is installed.

louie



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200009140243.e8E2hDG42233>