Hello!
According to the packaging guidelines, i need the permission to include a new .socket file in xpra.
xpra.socket:
[Unit] Description=Xpra Socket PartOf=xpra.service [Socket] #this doesn't work because of SELinux AVC denials: ListenStream=14500 ListenStream=/run/xpra/system #this is not handled yet: #ListenStream=vsock:x:y SocketUser=root SocketGroup=xpra PassCredentials=true [Install] WantedBy=sockets.target
xpra.service:
[Unit] Description=Xpra System Server Wants=avahi-daemon.socket Documentation=https://xpra.org/trac/wiki/Service man:xpra After=network.target xpra.socket Requires=xpra.socket [Service] Type=simple EnvironmentFile=-/etc/sysconfig/xpra ExecStart=/usr/bin/xpra proxy :14500 --daemon=no --tcp-auth=${TCP_AUTH} --ssl-cert=/etc/xpra/ssl-cert.pem --bind=none --auth=${AUTH} --socket-dirs=/run/xpra --socket-permissions=666 --log-dir=/var/log --pidfile=/run/xpra.pid --debug=${DEBUG} #rely on SIGKILL which returns 128+15=143 SuccessExitStatus=0 143 Restart=on-abnormal PIDFile=/run/xpra.pid ProtectSystem=strict ReadWritePaths=/run /tmp #PrivateDevices=true ProtectKernelTunables=true ProtectControlGroups=true [Install] WantedBy=multi-user.target
@sagitter Please submit a BZ via https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&format=fedora-systemd-request which will require you to answer certain questions that will help make the decision.
https://bugzilla.redhat.com/show_bug.cgi?id=1481009
OK, so looking into this, xpra is a network service specifically for allowing the forwarding of the X server to remote machines. In particular, the proxy server enabled by this request "allows a single xpra server to provide access to many xpra sessions through a single entry point, without using SSH for transport/authentication".
At minimum, I don't like the idea of allowing the proxy server to be enabled by default without asking the Security Team to do a full audit (in addition to FESCo ruling on whether it's beneficial to our users).
While it sounds useful in certain circumstances, I don't think it's common enough to justify enabling the unit file by default on installation. In general, we have a long-standing policy that package installation should not by itself result in services being started, except in specific exceptional cases necessary for the system to function at all. Even SSH doesn't start by default on all Fedora Editions (Workstation disables it explicitly).
On most Fedora Editions, even auto-starting these units would be insufficient, since the default firewall would not allow access (and we have not been asked to rule on whether this should become part of the default firewall allowances). The exception is Fedora Workstation, which has no firewall on port 14500 and would thus immediately be open to the world and offering a new point of ingress to the system, possibly without the user's knowledge if they pulled this package in unwittingly (for example if it became part of the BuildRequires dependency chain for something they are working on).
I vote "no" on enabling this by default; I don't think the convenience of the user not having to type systemctl enable xpra.socket in any way outweighs the potential risks of adding a new network-listening service to autostart.
systemctl enable xpra.socket
Adding to the meeting agenda for today's (2017-08-18) FESCo meeting at 16:00 UTC. @sagitter, would be great if you could join.
We discussed this in the FESCo meeting yesterday and decided to:
https://meetbot.fedoraproject.org/fedora-meeting/2017-08-18/fesco.2017-08-18-16.00.html
Metadata Update from @kalev: - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.