One more ¢… On 12/04/2014 08:37 PM, Christopher Head wrote: > On December 4, 2014 8:12:58 AM PST, Andrew Savchenko > <birc...@gentoo.org> wrote: >> >> Yes. But booting as much services as possible is even more >> preferable, especially when box is remote. > > Are you sure booting most, but not all, services in a loop is always > better than booting none of them at all? What if I have an insecure > dæmon listening on TCP, I need it running, but I want to ensure only > local processes can connect to it? Obviously, I would make it “need > iptables”, assuming the dæmon doesn’t have its own bind address > config knob. > > What if now, by some accident, iptables ends up in a loop (maybe not > even a loop including $insecure_service, but some other loop > entirely), and it’s the randomly chosen victim? Is it still good to > boot as many services as possible? I think not.
> I would make it “need iptables” Firstly, the loop solver doesn't remove "need" dependencies [1]. There will be no problem. [1] https://github.com/xaionaro/documentation/blob/master/openrc/earlyloopdetector/early-loop-detection.pdf But there are few ways to bypass such problems. For example: - Don't enable the option in this case. You should understand consequences of enabling any non-default option. Also for example sysadmin shouldn't setup public sshd with pass "test" on root. Here's the same. It's just required to understand what are you doing. - Use network namespaces for insecure processes without ability to setup the bind address. And use iptables to redirect to the real listening port (in the namespace). Best regards, Dmitry.
signature.asc
Description: OpenPGP digital signature
