On Thursday, February 20, 2020 10:44:16 PM MST Ed Greshko wrote: > On 2020-02-21 13:34, Samuel Sieb wrote: > > > On 2/20/20 7:47 PM, Ed Greshko wrote: > > > >> Oh, never mind. Wrong system. The "default" rules for > >> FedoraWorkstationso seem "odd". > > > > > > > Not really. > > > > > > > >> [root@f31m ~]# firewall-cmd --info-zone=FedoraWorkstation > >> FedoraWorkstation > >> target: default > >> icmp-block-inversion: no > >> interfaces: > >> sources: > >> services: dhcpv6-client samba-client ssh > >> ports: 1025-65535/udp 1025-65535/tcp > > > > > > > > Any critical system daemons are 1024 and below. The reason the high ports > > are left open is for user applications to be able to communicate without > > users having to figure out the firewall. > > Yeah, which is the reason for quotes around odd. > > I understand the reasoning to make it easier on users. It is just something > I wouldn't have done. I can envision someone configuring a service to run > on the higher ports which can be compromised and then disables selinux > because they run into it trying to protect them. > Maybe I shouldn't pity them. :-)
It's not just odd, it's a security nightmare. Processes running directly as the user have more privileges than most daemons, in fact. -- John M. Harris, Jr. Splentity _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
