Renee Danson wrote: > I also had some (perhaps naive) concerns about security in the design. > I'm not a security expert, but the note about the service-provided > ipf_method scripts being exec'ed as root set off alarm bells. What's > to stop someone from creating a rogue service whose ipf_method script > creates rules that open up vulnerabilities, or that stomp on rules of > other services? Or (perhaps more likely) what about a service with a > flawed script that accidentally causes such problems?
ipf_method doesn't create any new vulnerabilities; the same service author that created the malicious ipf_method could have just as easily created a malicious start method that runs as root. This is why only an adequately authorized user is permitted to add new services to the system. Incidentally, this is also why ipf_method is defined in firewall_context instead of firewall_config. If for some reason you did want to delegate firewall configuration (this clearly wouldn't be the case on Bill's systems :), you need the ability to permit the delgate to modify the service's firewall parameters without providing an avenue for privilege escalation. Dave
