On 22 December 2015 at 10:33, Sylvain CANOINE <sylvain.canoine at tv5monde.org> wrote: > > ----- Mail original ----- > > De: "Marcelo Ricardo Leitner" <marcelo.leitner at gmail.com> > > À: "centos" <centos at centos.org> > > Envoyé: Lundi 21 Décembre 2015 21:46:10 > > Objet: Re: [CentOS] Network services start before network is up since > migrating to 7.2 > > > Agreed. Sylvain, if possible, please elaborate on their reasoning for > > this, because it just seems like a case of "we fear what we don't know", > > so they are recommending to stick to old habits instead. > > > > Or have they identified real attack vectors in NM? If yes, we would love > > to hear that so it can be fixed. > In short, "you don't need it, so don't use it". > They said NM is more a desktop-oriented tool, already had privilege > escalation issues in the past (I didn't search if they're right), has too > many dependencies (such as wpa_supplicant and avahi, which are, of course, > also forbidden), needs extra mechanisms (PAM ? Polkit ?) to avoid users > changing its settings, needs D-bus just to work, so it is too much complex > just to set static IP addresses on network interfaces. They said multiples > administrator actions, and potentially human errors, to set it up, may be a > security risk... > > > Also known as "we have our policies for EL6 and we haven't paid any attention to EL7 to see how things have changed" ... Wonder if they have read my NM blog article yet ... Honestly any 'security' people banning wpa_supplicant needs their heads examined given that is used for 802.1x authentication ... which if they care about security they should be paying attention to. As for polkit and dbus ... well they have to be there in EL7 and systemd relies on these mechanisms. That said if they're having kittens about NM, polkit, dbus and wpa_supplicant they probably hate systemd and frankly I'm surprised they permit EL7 at all ;) Note that by default a non administrator user cannot change system network configuration ... bah idiots ...