Modify

Opened 6 years ago

Closed 3 years ago

#10177 closed enhancement (moved_to_github)

Adjust miniupnpd config to be more secure by default

Reported by: adam2104 Owned by: developers
Priority: normal Milestone: Chaos Calmer 15.05
Component: packages Version: Backfire 10.03.1 RC5
Keywords: Cc:

Description

The miniupnpd package provides a default configuration that allows all upnp/nat-pmp requests to be successful, by default. This is a potential security hole that luci-app-upnp attempts to solve by disabling miniupnpd from starting up until the user manually enables it. That approach is less than desirable because it forces the user to manually enable it, even in prebuilt images. A different approach would be to adjust the default upnpd.config file to deny all mappings by default. miniupnpd can remain enabled, but secure, until the administrator adjust the configuration. This approach would make miniupnpd (more) secure, out of the box, for both LuCI and non-LuCI (CLI only) users.

See attached diff with moves the default deny section above the default allow section.

Attachments (1)

upnpd.config.diff (817 bytes) - added by adam2104 6 years ago.
update upnpd.config

Download all attachments as: .zip

Change History (7)

Changed 6 years ago by adam2104

update upnpd.config

comment:1 Changed 6 years ago by jow

But what is the point then? One has to manually fiddle with it in either case.

comment:2 follow-up: Changed 6 years ago by hato

I think the point here is that with this approach the pre-built image can have a default setting as the user wants?
For this point, I think the new approach is better.

comment:3 Changed 6 years ago by adam2104

The point is two fold:

  1. It is automatically disabled for both kinds of users. Those that user LuCI and those that don't. Thereby closing the loop on the original intent (disabled in LuCI) to apply to both cases.
  1. When a prebuilt image is made, the default settings can easily be overwritten by including the necessary files in build_root/files/etc/upnpd.conf to override the default deny state. This allows someone with a prebuilt image to have miniupnpd enabled by default.

comment:4 in reply to: ↑ 2 Changed 6 years ago by will.dyson@…

This seems like a very sensible change, with little potential downside.

I think it would be even better to change the init script to check for a uci variable (something like "enabled"), and only start the daemon if it is true. Then /etc/config/upnpd could ship with enabled=0.

The advantages of this would be:

  • More consistency with the behavior of other LUCI apps (and init scripts everywhere)
  • Disabled by default even if luci-app-upnp is not installed
  • The enable/disable decision is preserved over sysupgrade

The main disadvantage is that this is a more invasive change than what is proposed here.

comment:5 Changed 4 years ago by jow

  • Milestone changed from Backfire 10.03.2 to Chaos Calmer (trunk)

Milestone Backfire 10.03.2 deleted

comment:6 Changed 3 years ago by jogo

  • Resolution set to moved_to_github
  • Status changed from new to closed

miniupnpd has been moved to https://www.github.com/openwrt/packages. If this is still an issue, please open a ticket there.

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.