From owner-freebsd-security Wed Sep 13 19:43:17 2000 Delivered-To: freebsd-security@freebsd.org Received: from whizzo.transsys.com (whizzo.TransSys.COM [144.202.42.10]) by hub.freebsd.org (Postfix) with ESMTP id D3A3937B424; Wed, 13 Sep 2000 19:43:13 -0700 (PDT) Received: from whizzo.transsys.com (localhost.transsys.com [127.0.0.1]) by whizzo.transsys.com (8.11.0/8.11.0) with ESMTP id e8E2hDG42233; Wed, 13 Sep 2000 22:43:13 -0400 (EDT) (envelope-from louie@whizzo.transsys.com) Message-Id: <200009140243.e8E2hDG42233@whizzo.transsys.com> X-Mailer: exmh version 2.1.1 10/15/1999 X-Image-URL: http://www.transsys.com/louie/images/louie-mail.jpg To: security@freebsd.org, ade@freebsd.org From: "Louis A. Mamakos" Subject: potential security exposure in GNOME/ORBit? Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 13 Sep 2000 22:43:13 -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I did a quick search of the FreeBSD security mailing list archives, but didn't see a discussion of this. My apologies if this ground has been covered. I recently installed GNOME on my FreeBSD-current boxes, and noted that a bunch of GNOME applications were listening on random TCP ports. Some investigation eventually revealed that this is intended to be used as a rendezvous mechansim for the ORBit CORBA implemention. Now, this seemed like a strange default configuration, as the usual mode of these interactions on the same machine would appear to be UNIX domain sockets created for this purpose. Some discussion on the one of the GNOME mailing list archives spoke to this; the arguments where one of either: 1. By default, a system out of the box shouldn't be listening on random ports in a way which makes it difficult to secure, or even necessary to have to secure. or 2. Hey, it's not a bug, but a *feature* of ORBit that the CORBA thing work transparently and easily over the network, and not just on the local machine. You can't just "fix" this for GNOME applications without "breaking" other applications that might use ORBit betwen machines. The solution offered was that folks concerned about these ORBit based applications waiting for connections could put ORBIIOPIPv4=0 ORBIIOPIPv6=0 into /usr/local/etc/orbitrc to disable this behavior. I've done this, and the GNOME applications using ORBit continue to work, presumably continuing to use the UNIX domain sockets created for the purpose. So my question is related to what the default state should be when someone installs the FreeBSD GNOME ports? In my own case, I found it surprising to find a bunch of processes (which probably haven't been well audited for security issues) listening on random ports, just waiting for a port scan. As nothing else is using ORBit than these local GNOME applications, I did the "fix" above and no more ports waiting for connections from who knows where. I'd suggest that minimally there be a warning, or perhaps that the orbitrc file be installed to turn off this "feature" when the devel/ORBit port is installed. louie To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message