timesync on by default in debian-8 template (3.2-testing)
22 views
Skip to first unread message
johny...@sigaint.org
Aug 22, 2016, 11:37:18 AM8/22/16
to qubes...@googlegroups.com
I notice in the debian-8 template that network time synchronization seems
to be on by default in systemd.
systemd-timesyncd.service loaded active running Network Time
Synchronization
time-sync.target loaded active active System Time Synchronized
It's disabled in fedora-23 by default, and rightly so, as I believe it's
unnecessary given the dom0 driven /etc/qubes-rpc/qubes.SetDateTime
mechanism, and it's kind of "leaky" sending requests unnecessarily to the
Internet.
Paranoidly yours,
JJ
to be on by default in systemd.
systemd-timesyncd.service loaded active running Network Time
Synchronization
time-sync.target loaded active active System Time Synchronized
It's disabled in fedora-23 by default, and rightly so, as I believe it's
unnecessary given the dom0 driven /etc/qubes-rpc/qubes.SetDateTime
mechanism, and it's kind of "leaky" sending requests unnecessarily to the
Internet.
Paranoidly yours,
JJ
Andrew David Wong
Aug 24, 2016, 5:16:44 PM8/24/16
to johny...@sigaint.org, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Would that fall under this issue?
https://github.com/QubesOS/qubes-issues/issues/1928
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXvg6zAAoJENtN07w5UDAwkZgP/2P/jWqOseHVrJ+X0ogVa/U4
lFTIG5AzBt9oLx7BaBy0arsKHRyHGkWGbW1fVzDnCAzkCDKrpq3eNQX6FesMmn8e
IIPyg7UqTnC29PZvKeZd/DlRGBM5q9jj6HMEcjTDWuc3jD1fKTe2GiDc7Cj4U6Bf
/aIKtgvdZAZAh0OBINcAezmeOsm6Lc1k0HEPzhdF4iUQUUNgmU+RTdMarZxSReR6
KxEQmxki568ccbxH0oUtifX8so8+1hAQCnB8yzhw6U/CjDl0TVWtpuHZ/P+hMARO
EHu7vJDWCbgSr9hf0w4sfZA5LVXaVySbFfC2s9PwIFchmJnD/kg11o9jX+aa2ZuU
qERxpTihpa2fqWEZ1fk4bQttgbcIzgAoAAVq6rcDOVuGFo+aVMgu+TmJSCU4ybs5
+3TDvAQJez2z8dvQYvn6kgjQ5MP0PfMZALZSGAdVaTy2B0dNFsnhmiVnzLNLeJKo
iI/k4EB8qxKcYfOR4wqS0OW9q+stAX8Dq3JO2uWZTnz5NVUacreW6h48WBM/7KCd
VOtD+3DG/n1n4LNcBqYsZKWVd7/RqRv6+p4z6sICAanY09m87qpnRkeb8wQ7BTWw
qOFhRZ/cZgjJnaw/qukt9kmU9BZdiAsENDiroCdHGDYJbEqINfV6dCdxL8UyoA1h
U+t8DDt9iZrZKWU0tl6/
=tGyU
-----END PGP SIGNATURE-----
Hash: SHA512
https://github.com/QubesOS/qubes-issues/issues/1928
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXvg6zAAoJENtN07w5UDAwkZgP/2P/jWqOseHVrJ+X0ogVa/U4
lFTIG5AzBt9oLx7BaBy0arsKHRyHGkWGbW1fVzDnCAzkCDKrpq3eNQX6FesMmn8e
IIPyg7UqTnC29PZvKeZd/DlRGBM5q9jj6HMEcjTDWuc3jD1fKTe2GiDc7Cj4U6Bf
/aIKtgvdZAZAh0OBINcAezmeOsm6Lc1k0HEPzhdF4iUQUUNgmU+RTdMarZxSReR6
KxEQmxki568ccbxH0oUtifX8so8+1hAQCnB8yzhw6U/CjDl0TVWtpuHZ/P+hMARO
EHu7vJDWCbgSr9hf0w4sfZA5LVXaVySbFfC2s9PwIFchmJnD/kg11o9jX+aa2ZuU
qERxpTihpa2fqWEZ1fk4bQttgbcIzgAoAAVq6rcDOVuGFo+aVMgu+TmJSCU4ybs5
+3TDvAQJez2z8dvQYvn6kgjQ5MP0PfMZALZSGAdVaTy2B0dNFsnhmiVnzLNLeJKo
iI/k4EB8qxKcYfOR4wqS0OW9q+stAX8Dq3JO2uWZTnz5NVUacreW6h48WBM/7KCd
VOtD+3DG/n1n4LNcBqYsZKWVd7/RqRv6+p4z6sICAanY09m87qpnRkeb8wQ7BTWw
qOFhRZ/cZgjJnaw/qukt9kmU9BZdiAsENDiroCdHGDYJbEqINfV6dCdxL8UyoA1h
U+t8DDt9iZrZKWU0tl6/
=tGyU
-----END PGP SIGNATURE-----
johny...@sigaint.org
Aug 24, 2016, 9:17:27 PM8/24/16
to qubes...@googlegroups.com
I would say so, yes.
I think exim, cups, and possibly some gvfs-samba thing were also all
enabled on both the Fedora and debian-8 templates.
I personally don't like having those on by default in all the VMs,
listening on ports and poking around the network or Internet, as they
really should only be installed or enabled when you need them.
The samba browser thing was making name resolution requests to some
Internet server which (from some brief googling) appeared to owned by
Microsoft. Not particularly cool. :)
(It's possible the Samba thing was dragged in by some other packages I
installed, although I'm fairly sure exim/cups were on in the default
fedora/debian templates.)
I know the firewall should prevent incoming connections to any listening
daemons (exim/cups/samba), but they're free to call out, as the samba
browser was doing. (And I hadn't done anything referring to a smb address
on the system.) Even with the firewall, why increase any attack surface
on unused services.
JJ
> --
> You received this message because you are subscribed to the Google Groups
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to qubes-users...@googlegroups.com.
> To post to this group, send email to qubes...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/qubes-users/5fe9f924-88e4-1820-ddf3-927095c699ca%40qubes-os.org.
> For more options, visit https://groups.google.com/d/optout.
>
I think exim, cups, and possibly some gvfs-samba thing were also all
enabled on both the Fedora and debian-8 templates.
I personally don't like having those on by default in all the VMs,
listening on ports and poking around the network or Internet, as they
really should only be installed or enabled when you need them.
The samba browser thing was making name resolution requests to some
Internet server which (from some brief googling) appeared to owned by
Microsoft. Not particularly cool. :)
(It's possible the Samba thing was dragged in by some other packages I
installed, although I'm fairly sure exim/cups were on in the default
fedora/debian templates.)
I know the firewall should prevent incoming connections to any listening
daemons (exim/cups/samba), but they're free to call out, as the samba
browser was doing. (And I hadn't done anything referring to a smb address
on the system.) Even with the firewall, why increase any attack surface
on unused services.
JJ
> You received this message because you are subscribed to the Google Groups
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to qubes-users...@googlegroups.com.
> To post to this group, send email to qubes...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/qubes-users/5fe9f924-88e4-1820-ddf3-927095c699ca%40qubes-os.org.
> For more options, visit https://groups.google.com/d/optout.
>
Andrew David Wong
Aug 25, 2016, 5:01:19 PM8/25/16
to johny...@sigaint.org, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hash: SHA512
On 2016-08-24 18:17, johny...@sigaint.org wrote:
> I would say so, yes.
>
> I think exim, cups, and possibly some gvfs-samba thing were also all
> enabled on both the Fedora and debian-8 templates.
>
> I personally don't like having those on by default in all the VMs,
> listening on ports and poking around the network or Internet, as they
> really should only be installed or enabled when you need them.
>
> The samba browser thing was making name resolution requests to some
> Internet server which (from some brief googling) appeared to owned by
> Microsoft. Not particularly cool. :)
>
> (It's possible the Samba thing was dragged in by some other packages I
> installed, although I'm fairly sure exim/cups were on in the default
> fedora/debian templates.)
>
> I know the firewall should prevent incoming connections to any listening
> daemons (exim/cups/samba), but they're free to call out, as the samba
> browser was doing. (And I hadn't done anything referring to a smb address
> on the system.) Even with the firewall, why increase any attack surface
> on unused services.
>
> JJ
>
Thanks. Added your suggestion as a comment on that issue.
> I would say so, yes.
>
> I think exim, cups, and possibly some gvfs-samba thing were also all
> enabled on both the Fedora and debian-8 templates.
>
> I personally don't like having those on by default in all the VMs,
> listening on ports and poking around the network or Internet, as they
> really should only be installed or enabled when you need them.
>
> The samba browser thing was making name resolution requests to some
> Internet server which (from some brief googling) appeared to owned by
> Microsoft. Not particularly cool. :)
>
> (It's possible the Samba thing was dragged in by some other packages I
> installed, although I'm fairly sure exim/cups were on in the default
> fedora/debian templates.)
>
> I know the firewall should prevent incoming connections to any listening
> daemons (exim/cups/samba), but they're free to call out, as the samba
> browser was doing. (And I hadn't done anything referring to a smb address
> on the system.) Even with the firewall, why increase any attack surface
> on unused services.
>
> JJ
>
P.S. - Please avoid top-posting.
> On 2016-08-22 08:37, johny...@sigaint.org wrote:
>>>> I notice in the debian-8 template that network time synchronization
>>>> seems to be on by default in systemd.
>>>>
>>>> systemd-timesyncd.service loaded active running Network Time
>>>> Synchronization time-sync.target loaded active active
>>>> System Time Synchronized
>>>>
>>>> It's disabled in fedora-23 by default, and rightly so, as I believe
>>>> it's unnecessary given the dom0 driven
>>>> /etc/qubes-rpc/qubes.SetDateTime mechanism, and it's kind of "leaky"
>>>> sending requests unnecessarily to the Internet.
>>>>
>>>> Paranoidly yours,
>>>>
>>>> JJ
>>>>
>
> Would that fall under this issue?
>
> https://github.com/QubesOS/qubes-issues/issues/1928
>
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
4++hWaWAegEjnUGV9NvOwtg0IbkM5Pgg2M3KYZbQFH0XXThx5enI7Ue3Pxd8amSJ
W9lZu6YN904kQlz5sUXl0VGSaHoE9mKUcdsi0mUPPEfR9pp62g0uXCu8MmqrLVrY
FYfENIpIo799Yap+AfO499eXDrcXcM87/t4nh9zakVY/iGDDbZ694GJLGFPangmJ
41IPJse401w5cX14J/OMx5x933+oUqdv0IyG3I3sabdFkeAeHrogP+c9PY9GV7xE
uELxq7xioXypT0A/0yAgLoHWi/1WS/9ChWo4yao7voKUTIKl5nDnq41g36qpbN6w
XSKAU8xLXjcgpl14ExsfOGzFkBMbgZE3w8gekf+oRgl/cv+Mmb6UA89MiKlM/N9w
2bPYdhp6hilzXLZGx4+EBrVk9g0Mv6C1btgisoBM98QWxnKSJUY5sO7cctT9oJZD
BTfTPfMy+CRTzNvlaVzQwJ0+OooffXJwDW8FNqQQ4mluRfKoRZ8LUkgVkEoH3TQX
1IyeC1CHif7PkrzHVyDJMxxJhGHae4BAVDHMv3jYkxiMMLEnOETHslRrg/++5t7h
KNxn+ThqWAPn46EVhzrP7tMCW8r+fkkw0q15/kq5oUNk6iED9cwmURNFBBRSusWo
I41dt6hbHVfsLgTf4a9z
=luYy
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages