[CentOS] Network services start before network is up since migrating to 7.2
m.roth at 5-cent.us
m.roth at 5-cent.us
Tue Dec 22 15:53:19 UTC 2015
James Hogarth wrote:
> On 22 December 2015 at 10:33, Sylvain CANOINE
> <sylvain.canoine at tv5monde.org> wrote:
>> > De: "Marcelo Ricardo Leitner" <marcelo.leitner at gmail.com>
<snip>
>> In short, "you don't need it, so don't use it".
>> They said NM is more a desktop-oriented tool, already had privilege
>> escalation issues in the past (I didn't search if they're right), has
>> too many dependencies (such as wpa_supplicant and avahi, which are, of
>> course, also forbidden), needs extra mechanisms (PAM ? Polkit ?)
>> to avoid users changing its settings, needs D-bus just to work, so
>> it is too much complex just to set static IP addresses on network
>> interfaces. They said> multiples> administrator actions, and
>> potentially human errors, to set it up, may be a security risk...
>
> Also known as "we have our policies for EL6 and we haven't paid any
> attention to EL7 to see how things have changed" ... Wonder if they have
> read my NM blog article yet ...
>
> Honestly any 'security' people banning wpa_supplicant needs their heads
> examined given that is used for 802.1x authentication ... which if they
> care about security they should be paying attention to.
Really? Why?
a) All the servers I've ever dealt with (and I don't mean a large tower
under someone's desk) are racked in locked rooms and hardwired.
b) NONE I've ever seen has any wifi, so I've never understood why avahi,
and the firewall hole for it, was installed in the "server" version by
default.
c) wpa-supplicant - again, why? If it's hardwired, and behind switches and
firewalls, why PNAC if every server is running firewalls?
<snip>
mark "let's *please* NOT talk about NAC via Cisco,
and people who allegedly know and have planned
rolling it out...."
More information about the CentOS
mailing list