Date: Tue, 23 Apr 2002 16:35:55 -0400 (EDT) From: Daniel Eischen <eischen@pcnet1.pcnet.com> To: Frank Mayhar <frank@exit.com> Cc: Terry Lambert <tlambert2@mindspring.com>, Robert Watson <rwatson@FreeBSD.ORG>, "Greg 'groggy' Lehey" <grog@FreeBSD.ORG>, Jordan Hubbard <jkh@winston.freebsd.org>, Oscar Bonilla <obonilla@galileo.edu>, Anthony Schneider <aschneid@mail.slc.edu>, Mike Meyer <mwm-dated-1019955884.8b118e@mired.org>, hackers@FreeBSD.ORG Subject: Re: More about security, X, rc.conf and changing defaults. Message-ID: <Pine.GSO.4.10.10204231624120.25950-100000@pcnet1.pcnet.com> In-Reply-To: <200204231953.g3NJrunH025061@realtime.exit.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 23 Apr 2002, Frank Mayhar wrote: > Terry Lambert wrote: > > FWIW: I wouldn't object to a firewall rule that disallowed remote > > TCP connections to the X server by default, if the firewall is > > enabled. I think we already have this... > > Yep, I agree, and whether or not it's in the distributed rc.firewall, I > have the ports blocked in my hand-tuned version. > > As to Stijn's remarks, he is putting up a strawman at best. If a person > runs X, it should be their responsibility to make sure that it's secure. > Just like if they ran Windows or any other software with potential security > holes. X is plastered with warnings as it is, why do we need to cripple a > function it supports? Stijn, if it "opens up a hole in your network," > that's _your_ problem, not mine. There are many other ways to secure your > network than by turning off tcp connections by default in the X server. > Hey, I'm not objecting to adding the capability, I'm just objecting to > the fact that it was imposed upon everyone else by fiat and (worse) without > warning. > > And before people start saying again that this only affects a port and is > irrelevant to the operating system itself, this is one symptom of what I > see as a worsening problem. I agree also. Remember what has been stated before, "Tools, not Policy". If we want to disable this by default, then there should be a customary knob _where people expect/can see it_. And if we are lacking the mechanism to do it, then the change should wait until it is present. It shouldn't be hacked into an unexpected place. I would like to see this backed out. -- Dan Eischen To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.10.10204231624120.25950-100000>