Is minissdpd known to have been auditted for security, at a similar level to avahi-daemon?

by

Ubuntu have or had an effort, sometimes described as No Open Ports for the default install.

Exemptions are made for the DHCP client (otherwise you break networking for everyone), and for Avahi. Of the officially published reasons for Avahi, the most “compelling” one is the last: “[discover] a ZeroConf printer”. To maintain a high level of security, Ubuntu performed an audit of Avahi first. https://wiki.ubuntu.com/ZeroConfPolicySpec

(Relatedly, avahi-daemon defaults to running in a chroot jail).

Debian have no such effort. Installing Debian 9 Desktop (or Debian 8 Desktop) pulls in minissdpd, via transmission-gtk. Has minissdpd been subject to the same level of auditting as Avahi has been?

[Update: Debian 10 Desktop no longer pulls in minissdpd. Although when I install Digikam, I notice it still pulls in minidlna, and hence runs minidlnad]

Contents hide
Answers:
Method 1

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

No. The minissdpd package in Debian 10.0 would not pass a security audit.

minissdpd runs as the root user. There is no containment, apart from the systemd service being defined to use PrivateTmp. There is some test code to “drop privileges”, which is disabled with an #if 0 block and a TODO comment.

Note the daemon is written in C, the native language of buffer overflows.

(For the record, the approach in the test code would not be sufficient. The daemon could still try to access the filesystem. Remember that Debian defaults to making home directories readable by all users. Also, it hard-codes the nobody user. More software “dropping privileges” to become the same “nobody” user means more havoc this supposed “nobody” can wreak, and more likelihood that there is some private data it can access.)


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x