Re: sudo without password

---

• From: ubuntu@xxxxxx
• Date: Sat, 10 Jun 2006 21:47:15 -0400

---

Alan McKinnon wrote:

On Friday 09 June 2006 22:57, ubuntu@xxxxxx wrote:

That said, from using other distros, other set it up for filtering
incoming only. Thus, you don't need to know what ports things use,
unless you're setting up server process. Moreover, there are
plenty of GUI-based systems for managing iptables where you don't
need to know the port numbers. If you're setting up an IMAP
server, you'd just check off or type in "IMAP". For most users,
the firewall would be completely invisible, since they generally
don't need to have anything listening to the network.

I'm of the opinion that writing a firewall gui is relatively easy, but
writing one that users can use is considerably more difficult. The
obvious choice to you and I is "Block imap (y/n)?" and it makes
perfect sense to us. Aunt Tillie could probably grok this too if she
felt like studying it, but by and large she doesn't. What does happen
is she gets confuddled by "imap" and then wonders what to do (or
makes the snap decision we least want her to make).

I think you're misunderstanding me... the firewall is only set up to
block INCOMING. Thus, even without a single port open, you can use
KMail for IMAP or SMTP or anything else. It's completely invisible to
the average user who isn't running a server. Aunt Tillie is just using
KMail, not running an IMAP server on her desktop, so should would never
even notice it.

By default, it's no different than Ubuntu's "Nothing is listening".
However, should something be installed that DOES listen, either through
misconfiguration, ignorance, or malice, the firewall is there to prevent it.

A better scheme is to alert Aunt Tillie that kmail is trying to open a
connection to a remote machine and it wants to talk to port 25.
Auntie knows this OK as she just clicked send in kmail, and is in a
position to safely say "OK".

This would be the ZoneAlarm style, which Linux really lacks, unfortunately.

I think the Debian point of view is rooted in the idea that a
knowledgeable user has one eye on netstat and logs at all times, so
it's probably a safe approach. As you say, not the ideal POV for a
workstation for the masses

Precisely. As Ubuntu targets the masses more and more, I think a change
of thinking in this area is warranted.

Sounds like a neat solution, a good middle point if you don't need the
full complexity of SELinux for instance. What impact does it have on
performance though? And how easy is it to set the profile for an app
too restrictive so that using it becomes a pita? - the downside to
almost any security solution is always that if it becomes too much of
a hassle to use, users can be counted on to find a way to switch it
off

So far, I haven't run into a single issue with AppArmor. The base SuSE
installation of it even includes an AppArmor profile for FireFox, and I
haven't had a single problem, even after upgrading FireFox. I haven't
exhaustively gone through the permissions, so perhaps they are simply
quite lenient, but so far it's been entirely seamless. I wholeheartedly
recommend Ubuntu look into it for the next release.

One of Linux's great advantages is bundling. Unlike Microsoft, Linux
distro's can set up the entire kitchen sink ahead of time
configuration-wise. If a ZoneAlarm-like app were written for Linux, all
the standard programs that came with the distribution could be properly
flagged ahead of time, so it would only bug the user for apps that were
installed later.


--
ubuntu-users mailing list
ubuntu-users@xxxxxxxxxxxxxxxx
https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

---

• Follow-Ups:
  • Re: sudo without password
    • From: Alan McKinnon
  • Re: sudo without password
    • From: Scott Kitterman

• References:
  • sudo without password
    • From: Mladen Bestvina
  • Re: sudo without password
    • From: Alan McKinnon
  • Re: sudo without password
    • From: ubuntu
  • Re: sudo without password
    • From: Alan McKinnon

• Prev by Date: Re: Dapper is LESS stable than Breezy.
• Next by Date: Re: Help: configure networking
• Previous by thread: Re: sudo without password
• Next by thread: Re: sudo without password
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: How to Maintain an IIS Server? ... > server running on a Windows 2000 server. ... before a firewall and antivirus have been installed]. ... open ports; however, this will not identify which program is using the port. ... (microsoft.public.inetserver.iis.security) Re: CEICW fails at firewall config ... ISA Server prevents connection to a remote desktop when you connect through ... Remote Web Workplace on a Windows Small Business Server 2003-based computer ... Acceleration Server as a firewall. ... connection uses TCP port 4125. ... (microsoft.public.windows.server.sbs) Re: How to Maintain an IIS Server? ... >> server running on a Windows 2000 server. ... > before a firewall and antivirus have been installed]. ... > program or executable using that port. ... (microsoft.public.inetserver.iis.security) Re: Activesync / Airsync - Alternative Ports ... Setup a reverse HTTP proxy. ... Another idea is to use the PPTP capabilities of a Windows Server to allow ... Satellite - Cisco Firewall - Exchange Server ... So on the server side you would configure the port 80 to redirect to ... (microsoft.public.pocketpc.activesync) Re: Activesync / Airsync - Alternative Ports ... "Chris De Herrera" wrote: ... Another idea is to use the PPTP capabilities of a Windows Server to allow ... Satellite - Cisco Firewall - Exchange Server ... So on the server side you would configure the port 80 to redirect to 8888 ... (microsoft.public.pocketpc.activesync)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)