DefaultNetworkServices

Please check the status of this specification in Launchpad before editing it. If it is Approved, contact the Assignee or another knowledgeable person before making changes.

Summary

This policy defines the requirements and default settings for applications that acquire information from, and share information over, the network. It replaces the old informal "No open ports in the default installation" policy.

Rationale

We were never able to completely fulfil the "No open ports" promise, since we install a DHCP client by default and we always had DNS resolving (which is already untrusted information from the network). With the advent of technologies like DNS-SD and MDNS, users want these services enabled by default, and many enable them immediately after installation. We need to make this use reasonably safe, instead of trying to discourage users from doing it.

Use cases

  • Jono gives a talk about Jokosher and his great music produced by it, so he shares it to the local network. The attendees immediately see his music in Rhythmbox and can play it.
  • Claire is often traveling to lots of different places organizing conferences. When she walks into an office, her computer picks up a network-accessible cups printer and she can instantly print on them without any configuration whatsoever.
  • Pitti has super-secret undisclosed security patches on his box. He never ever wants to expose any of his hard disk data to the network without his explicit desire. Being paranoid, he does not trust files from other people, so his applications should always make it clear whether a service was locally configured, or automatically discovered.
  • Fabio installs Ubuntu server and expects to be in full control over IP addresses, network names, and detected information.

Scope

This policy applies to all packages officially supported by Ubuntu.

Policy

Exposing local information to the network

  • A default Ubuntu installation must not expose any application-level data to the network (unless the user explicitly requests it using an understandable interface). It is legitimate to expose global machine information on the IP network level, in particular the network controller's MAC address, IP address, local host name, and availability of network-facing services.
  • Packages which are not part of the default installation can automatically expose application-level data to the network, since the user explicitly has to install them.
  • Package or distribution upgrades must not expose any information which was previously unexposed.

Detecting and using remote services

  • The default Ubuntu desktop installation can automatically detect services offered by other computers in the network and present them to the user. These services are untrustworthy and potentially dangerous, so applications that can use the detected services must:
    • Always clearly separate local (or locally configured) trustworthy services from automatically detected remote services.
    • Never automatically communicate with detected services without an explicit user request.
    • Offer a discoverable way to disable the presentation and usage of autodetected remote services.
  • The default Ubuntu server installation must not detect any services offered by other computers in the network.

Service discovery processes

A process that is part of the default Ubuntu installation and accepts any packets from the network must confine its privileges in a way that a potential arbitrary code execution vulnerability in this process cannot access any user's data nor any other system processes. This generally means running them under a system user ID, perhaps with some additional non-root-equivalent group memberships.

There may be other security problems with software which offers services to the network; for example, complexity, lack of code quality, poor upstream security response processes, or other difficulties. Programs with these kinds of problems should not be enabled by default.

Signoff process

Each piece of software which, in the default install, listens on or is advertised to the network, must be approved by the Ubuntu Technical Board and a member of the Ubuntu core developers' security team.


CategorySpec

DefaultNetworkServices (last edited 2009-02-23 10:08:28 by 82-69-40-219)