DefaultNetworkServices
Please check the status of this specification in Launchpad before editing it. If it is Approved, contact the Assignee or another knowledgeable person before making changes.
Summary
This specification is a policy document which defines the requirements on, and default settings of, information that is acquired from, and shared to, the network. It replaces the old informal "No open ports in the default installation" policy.
Rationale
We were never able to completely fulfill the "No open ports" promise, since we install a DCHP client by default and we always had DNS resolving (which is already untrusted information from the network). With the advent of technologies like DNS-SD and MDNS, users desire to have these services enabled by default, and many enable it immediately after installation. Our main goal is to provide a reasonably safe operation with such technology instead of actively discouraging users from enabling them.
Use cases
- Jono gives a talk about Jokosher and his great music produced by it, so he shares it to the local network. The attendees immediately see his music in Rhythmbox and can play it.
- Claire is often traveling to lots of different places organizing conferences. When she walks into an office, her computer picks up a network-accessible cups printer and she can instantly print on them without any configuration whatsoever.
- Pitti has super secret undisclosed security patches on his box. He never ever wants to expose any of his hard disk data to the network without his explicit desire. Being paranoid, he does not trust files from other people, so his applications should always make it clear whether a service was locally configured, or automatically discovered.
Scope
This policy applies to all packages officially supported by Ubuntu.
Policy
Exposing local information to the network
- A default Ubuntu installation must not expose any application-level data to the network. It is legitimate to expose global machine information on the IP network level, in particular the network controller's MAC address, IP address, and the local host name.
- Packages which are not part of the default installation can automatically expose application-level data to the network, since the user explicitly has to install them.
- Package or distribution upgrades must not expose any information which was previously unexposed.
Detecting and using remote services
- The default Ubuntu installation can automatically detect services offered by other computers in the network and present them to the user. These services are untrustworthy and potentially dangerous, so applications that can use the detected services must clearly separate local (or locally configured) trustworthy services and automatically detected remote services.
- Applications must offer a discoverable way to disable the presentation and usage of autodetected remote services.
Service discovery processes
A process that is part of the default Ubuntu installation and accepts any packets from the network must confine its privileges in a way that a potential arbitrary code execution vulnerability in this process cannot access any user's data nor any other system processes. This generally means running them under a system user ID, perhaps with some additional non-root-equivalent group memberships.