top | item 44852683

(no title)

JackeJR | 6 months ago

Just have sane firewall rules and you are good. E.g. if I install openssh-server and it auto starts, it doesn't make it out of my machine because my nftables does not allow inbound on port 22. It's just knowing the default behaviour and adjusting your practices for it.

discuss

johnisgood|6 months ago

That is a workaround for a ridiculous issue.

rbanffy|6 months ago

A sane firewall won't protect you from privilege escalation from a local attacker. While unlikely, this is one more breach that could be exploited.

bayindirh|6 months ago

Debian bundles AppArmor profiles for most services. This will prevent an attacker from accessing outside the perimeter drawn by the AppArmor profile.

account42|6 months ago

This is the "you're holding it wrong" response to a clear design issue.

teo_zero|6 months ago

Aren't firewall rules part of the "configuration" the OP talked about?

mjochim|6 months ago

No, because you can install and configure the firewall before you install package X. (without knowing anything about X, your firewall defaults can just prevent X from doing anything)

But you can't (easily) configure package X itself before you install it; and after you install it, it runs immediately so you only get to configure it after the first run.