Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 23 Apr 2002 12:53:56 -0700 (PDT)
From:      Frank Mayhar <frank@exit.com>
To:        Terry Lambert <tlambert2@mindspring.com>
Cc:        Robert Watson <rwatson@FreeBSD.ORG>, "Greg 'groggy' Lehey" <grog@FreeBSD.ORG>, Jordan Hubbard <jkh@winston.freebsd.org>, Oscar Bonilla <obonilla@galileo.edu>, Anthony Schneider <aschneid@mail.slc.edu>, Mike Meyer <mwm-dated-1019955884.8b118e@mired.org>, hackers@FreeBSD.ORG
Subject:   More about security, X, rc.conf and changing defaults.
Message-ID:  <200204231953.g3NJrunH025061@realtime.exit.com>
In-Reply-To: <3CC5AE6E.9622AF93@mindspring.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Terry Lambert wrote:
> FWIW: I wouldn't object to a firewall rule that disallowed remote
> TCP connections to the X server by default, if the firewall is
> enabled.  I think we already have this...

Yep, I agree, and whether or not it's in the distributed rc.firewall, I
have the ports blocked in my hand-tuned version.

As to Stijn's remarks, he is putting up a strawman at best.  If a person
runs X, it should be their responsibility to make sure that it's secure.
Just like if they ran Windows or any other software with potential security
holes.  X is plastered with warnings as it is, why do we need to cripple a
function it supports?  Stijn, if it "opens up a hole in your network,"
that's _your_ problem, not mine.  There are many other ways to secure your
network than by turning off tcp connections by default in the X server.
Hey, I'm not objecting to adding the capability, I'm just objecting to
the fact that it was imposed upon everyone else by fiat and (worse) without
warning.

And before people start saying again that this only affects a port and is
irrelevant to the operating system itself, this is one symptom of what I
see as a worsening problem.  I agree with Warner that the former default
should only be supported until the next major release, but that former
default _should be supported_.  Yeah, it's up to me as a sysadmin to notice
this stuff and fix it, but how many people pay that much attention to the
stuff in /etc/defaults when they are in the middle of upgrading a bread-and-
butter system (to get it closer to the current -stable, so later improvements
won't be so difficult to bring in) and are going as fast as they can?  Much
better, IMNSHO, to create the new /etc/rc.override (or whatever) script and
let it bug the admin about the fact that the defaults have changed.  And _not_
spring this sort of thing on the FreeBSD world unawares.

Not all of us have time to pay attention to the mailing lists (or even _one_
of the mailing lists) to catch this sort of thing before it gets committed.

Hey, I'm a software engineer for Wind River (with a fulltime job there),
plus sole engineer and sysadmin for my own side business.  I barely have
time for _sleep_.
-- 
Frank Mayhar frank@exit.com	http://www.exit.com/
Exit Consulting                 http://www.gpsclock.com/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200204231953.g3NJrunH025061>