should it be? 🧐
Conversation
No, but some people are using the network layer as access control and don't understand IPv6 so they block it instead. 🤬🤦
4
2
22
There's some legitimate for host-based firewalls such as avoiding accidental exposed services, determining which applications/services can use the network and access control for services only able to listen on loopback instead of a Unix domain socket.
2
2
I even consider use of no-auth loopback as unacceptable "network layer as access control". It breaks all privilege separation on the host.
1
1
9
We consider it unacceptable which is why we disable listening on loopback for as many services as possible (MariaDB, PostgreSQL) and implement uid-based access control for stuff not supporting that via nftables as a workaround for software deficiencies.
1
1
6
MariaDB and PostgreSQL do have authentication but I'd rather not rely on their internal authentication configuration. It's much nicer only having a socket and being able to use POSIX permissions, ACLs, MAC, etc. as you can with any other files even if internal config is wrong.
1
1
4
One thing that really bothers me about a lot of those services is they like having an insecure-by-default configuration. MySQL/MariaDB has the authentication configuration INSIDE THE DATABASE. You need to have the database running / working in order to connect and configure it...
1
2
5
Also, MySQL/MariaDB listens on 0.0.0.0 by default. A lot of LAMP-type software tends to also do that and whoever connects to the website first gets to configure the password, etc. It's pretty horrible. If somehow the configuration was wiped it just lets anyone compromise it.
1
1
6
The existence of this script which you're supposed to run immediately after installing and starting MySQL/MariaDB is sad:
mariadb.com/kb/en/mysql_se
To be fair, MariaDB at least has fixed this and it's no longer entirely insecure by default, just partially insecure by default.
1
3
New default is that it's exposed to the entire internet but there isn't a no password administration account, only a test database with unauthenticated usage permitted. It's massive attack surface but at least whole internet doesn't get db admin by default anymore... progress?
1
1
3
Only complaint about PostgreSQL defaults is that it'd be nice if it didn't bother listening on loopback by default since it's rarely necessary. It has a plain text authentication configuration file rather than inside the db. I set up nftables literally because of MariaDB though.