Marcelo Ricardo Leitner
2015-Dec-21 20:46 UTC
[CentOS] Network services start before network is up since migrating to 7.2
Em 21-12-2015 14:24, James Hogarth escreveu:> On 21 December 2015 at 15:08, Sylvain CANOINE <sylvain.canoine at tv5monde.org> > wrote: > >>> If you're using NetworkManager, you can "systemctl enable >>> NetworkManager-wait-online.service" and you won't have to override any >>> of the individual services. >> Our security experts don't want me to use NetworkManager... It's even >> uninstalled on the models, so I understand better why all the required >> files are not here : >> >> > "experts" ... I'm sorry ...Agreed. Sylvain, if possible, please elaborate on their reasoning for this, because it just seems like a case of "we fear what we don't know", so they are recommending to stick to old habits instead. Or have they identified real attack vectors in NM? If yes, we would love to hear that so it can be fixed. Marcelo
Sylvain CANOINE
2015-Dec-22 10:33 UTC
[CentOS] Network services start before network is up since migrating to 7.2
----- Mail original -----> De: "Marcelo Ricardo Leitner" <marcelo.leitner at gmail.com> > ?: "centos" <centos at centos.org> > Envoy?: Lundi 21 D?cembre 2015 21:46:10 > Objet: Re: [CentOS] Network services start before network is up since migrating to 7.2> Agreed. Sylvain, if possible, please elaborate on their reasoning for > this, because it just seems like a case of "we fear what we don't know", > so they are recommending to stick to old habits instead. > > Or have they identified real attack vectors in NM? If yes, we would love > to hear that so it can be fixed.In short, "you don't need it, so don't use it". They said NM is more a desktop-oriented tool, already had privilege escalation issues in the past (I didn't search if they're right), has too many dependencies (such as wpa_supplicant and avahi, which are, of course, also forbidden), needs extra mechanisms (PAM ? Polkit ?) to avoid users changing its settings, needs D-bus just to work, so it is too much complex just to set static IP addresses on network interfaces. They said multiples administrator actions, and potentially human errors, to set it up, may be a security risk... Sylvain. Pensez ENVIRONNEMENT : n'imprimer que si ncessaire
James Hogarth
2015-Dec-22 13:29 UTC
[CentOS] Network services start before network is up since migrating to 7.2
On 22 December 2015 at 10:33, Sylvain CANOINE <sylvain.canoine at tv5monde.org> wrote:> > ----- Mail original ----- > > De: "Marcelo Ricardo Leitner" <marcelo.leitner at gmail.com> > > ?: "centos" <centos at centos.org> > > Envoy?: Lundi 21 D?cembre 2015 21:46:10 > > Objet: Re: [CentOS] Network services start before network is up since > migrating to 7.2 > > > Agreed. Sylvain, if possible, please elaborate on their reasoning for > > this, because it just seems like a case of "we fear what we don't know", > > so they are recommending to stick to old habits instead. > > > > Or have they identified real attack vectors in NM? If yes, we would love > > to hear that so it can be fixed. > In short, "you don't need it, so don't use it". > They said NM is more a desktop-oriented tool, already had privilege > escalation issues in the past (I didn't search if they're right), has too > many dependencies (such as wpa_supplicant and avahi, which are, of course, > also forbidden), needs extra mechanisms (PAM ? Polkit ?) to avoid users > changing its settings, needs D-bus just to work, so it is too much complex > just to set static IP addresses on network interfaces. They said multiples > administrator actions, and potentially human errors, to set it up, may be a > security risk... > > >Also known as "we have our policies for EL6 and we haven't paid any attention to EL7 to see how things have changed" ... Wonder if they have read my NM blog article yet ... Honestly any 'security' people banning wpa_supplicant needs their heads examined given that is used for 802.1x authentication ... which if they care about security they should be paying attention to. As for polkit and dbus ... well they have to be there in EL7 and systemd relies on these mechanisms. That said if they're having kittens about NM, polkit, dbus and wpa_supplicant they probably hate systemd and frankly I'm surprised they permit EL7 at all ;) Note that by default a non administrator user cannot change system network configuration ... bah idiots ...
John R Pierce
2015-Dec-22 20:40 UTC
[CentOS] Network services start before network is up since migrating to 7.2
On 12/22/2015 2:33 AM, Sylvain CANOINE wrote:> They said multiples administrator actions, and potentially human errors, to set it up, may be a security risk...yeah, gotta get rid of those pesky humans, they always mess things up. And, get rid of the computers too, they've always had security problems. voila, problem solved!! -- john r pierce, recycling bits in santa cruz
Marcelo Ricardo Leitner
2015-Dec-23 12:01 UTC
[CentOS] Network services start before network is up since migrating to 7.2
Em 22-12-2015 08:33, Sylvain CANOINE escreveu:> > ----- Mail original ----- >> De: "Marcelo Ricardo Leitner" <marcelo.leitner at gmail.com> >> ?: "centos" <centos at centos.org> >> Envoy?: Lundi 21 D?cembre 2015 21:46:10 >> Objet: Re: [CentOS] Network services start before network is up since migrating to 7.2 > >> Agreed. Sylvain, if possible, please elaborate on their reasoning for >> this, because it just seems like a case of "we fear what we don't know", >> so they are recommending to stick to old habits instead. >> >> Or have they identified real attack vectors in NM? If yes, we would love >> to hear that so it can be fixed. > In short, "you don't need it, so don't use it". > They said NM is more a desktop-oriented tool, already had privilege escalation issues in the past (I didn't search if they're right), has too many dependencies (such as wpa_supplicant and avahi, which are, of course, also forbidden), needs extra mechanisms (PAM ? Polkit ?) to avoid users changing its settings, needs D-bus just to work, so it is too much complex just to set static IP addresses on network interfaces. They said multiples administrator actions, and potentially human errors, to set it up, may be a security risk...Gotta say, this policy is very subjective. These reasons, they fit pretty much everything else too. If memory serves, sudo also had privilege escalation issues in the past, but it's needed. NM is just a newborn and soon will be required. They are free to wait for it to mature more, yes, but just keep in mind that at least for now, that's a certain future, NM is getting more and more mainstream. NM already can be used only during startup, with no daemon running after that. That helps a lot already with the reasoning they presented. Thanks for sharing that. Marcelo
Reasonably Related Threads
- Network services start before network is up since migrating to 7.2
- Network services start before network is up since migrating to 7.2
- Network services start before network is up since migrating to 7.2
- Network services start before network is up since migrating to 7.2
- Network services start before network is up since migrating to 7.2