From owner-freebsd-ports Fri Oct 26 19: 4:10 2001 Delivered-To: freebsd-ports@freebsd.org Received: from jochem.dyndns.org (cc40670-a.groni1.gr.nl.home.com [217.120.131.23]) by hub.freebsd.org (Postfix) with ESMTP id CE83037B406; Fri, 26 Oct 2001 19:04:04 -0700 (PDT) Received: (from jochem@localhost) by jochem.dyndns.org (8.11.6/8.11.6) id f9R23xe58134; Sat, 27 Oct 2001 04:03:59 +0200 (CEST) (envelope-from jochem) Date: Sat, 27 Oct 2001 04:03:59 +0200 From: Jochem Kossen To: Jean-Marc Zucconi Cc: ports@FreeBSD.org Subject: Re: x11/XFree86-4: patch to make XFree86-4 a _little_ bit more secure Message-ID: <20011027040359.A58119@jochem.dyndns.org> References: <20011026155354.A44808@jochem.dyndns.org> <200110261830.f9QIUFa44037@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="gBBFr7Ir9EOA20Yy" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200110261830.f9QIUFa44037@freefall.freebsd.org>; from jmz@FreeBSD.org on Fri, Oct 26, 2001 at 11:30:15AM -0700 Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --gBBFr7Ir9EOA20Yy Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Fri, Oct 26, 2001 at 11:30:15AM -0700, Jean-Marc Zucconi wrote: > >>>>> Jochem Kossen writes: > > > Hi there, > > I always hate the fact that when i start X, port 6000 is listening. > > Attached file patches startx to use X with the '-nolisten tcp' option. > > My idea behind this is that most people who use X don't need the network > > options of it, those who do, are wise enough to change it in `which > > startx`... > > Secure by default? :) > > But then you have to edit and change the script if you want a > non-secure operation mode. You should add a startx option for starting > in non-secure mode. And don't forget the patch for the documentation > change in the man page! :-) > > Jean-Marc > > -- > Jean-Marc Zucconi -- PGP Key: finger jmz@FreeBSD.org [KeyID: 400B38E9] I agree, an option to startx to use non-secure mode is better. So, here are a two different patches, one for programs/xinit/startx.cpp and one for programs/xinit/startx.man. (they are against XFree86-4.1.0_9). It will add the option '-listen_tcp' to startx, so 'startx' will start X secure, 'startx -listen_tcp' will start X non-secure. Jochem -- Fortune cookie says: Two percent of zero is almost nothing. --gBBFr7Ir9EOA20Yy Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=patch-startx --- programs/xinit/startx.cpp.orig Fri Apr 27 13:04:53 2001 +++ programs/xinit/startx.cpp Sat Oct 27 03:50:41 2001 @@ -82,8 +82,12 @@ display=:0 whoseargs="client" +listen_tcp="-nolisten tcp" while [ "x$1" != "x" ]; do case "$1" in + -listen_tcp) + listen_tcp="" + ;; --) whoseargs="server" ;; @@ -134,7 +138,7 @@ done #endif -xinit $clientargs -- $serverargs +xinit $clientargs -- $serverargs $listen_tcp if [ x"$removelist" != x ]; then xauth remove $removelist --gBBFr7Ir9EOA20Yy Content-Type: application/x-troff-man Content-Disposition: attachment; filename="patch-startx.man" --- programs/xinit/startx.man.orig Thu Apr 19 17:08:32 2001 +++ programs/xinit/startx.man Sat Oct 27 03:40:01 2001 @@ -42,10 +42,17 @@ somewhat nicer user interface for running a single session of the X Window System. It is often run with no arguments. .PP -Arguments immediately following the +Except for the +.RB '-listen_tcp' +option, arguments immediately following the .I startx command are used to start a client in the same manner as .IR xinit (1). +The +.RB '-listen_tcp' +option of startx enables the TCP/IP transport type which is needed for remote X +displays. This is disabled by default for security reasons. +.PP The special argument .RB '--' marks the end of client arguments and the beginning of server options. @@ -66,6 +73,8 @@ startx -- -dpi 100 .PP startx -- -layout Multihead +.PP +startx -listen_tcp -- -depth 16 .RE .PP To determine the client to run, --gBBFr7Ir9EOA20Yy-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message