From owner-freebsd-hackers  Tue Apr 23 13:36: 9 2002
Delivered-To: freebsd-hackers@freebsd.org
Received: from mail.pcnet.com (pcnet1.pcnet.com [204.213.232.3])
	by hub.freebsd.org (Postfix) with ESMTP
	id DADD837B41C; Tue, 23 Apr 2002 13:36:02 -0700 (PDT)
Received: from localhost (eischen@localhost)
	by mail.pcnet.com (8.12.1/8.12.1) with ESMTP id g3NKZtk7027540;
	Tue, 23 Apr 2002 16:35:55 -0400 (EDT)
Date: Tue, 23 Apr 2002 16:35:55 -0400 (EDT)
From: Daniel Eischen <eischen@pcnet1.pcnet.com>
To: Frank Mayhar <frank@exit.com>
Cc: Terry Lambert <tlambert2@mindspring.com>,
	Robert Watson <rwatson@FreeBSD.ORG>,
	"Greg 'groggy' Lehey" <grog@FreeBSD.ORG>,
	Jordan Hubbard <jkh@winston.freebsd.org>,
	Oscar Bonilla <obonilla@galileo.edu>,
	Anthony Schneider <aschneid@mail.slc.edu>,
	Mike Meyer <mwm-dated-1019955884.8b118e@mired.org>,
	hackers@FreeBSD.ORG
Subject: Re: More about security, X, rc.conf and changing defaults.
In-Reply-To: <200204231953.g3NJrunH025061@realtime.exit.com>
Message-ID: <Pine.GSO.4.10.10204231624120.25950-100000@pcnet1.pcnet.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

On Tue, 23 Apr 2002, Frank Mayhar wrote:
> Terry Lambert wrote:
> > FWIW: I wouldn't object to a firewall rule that disallowed remote
> > TCP connections to the X server by default, if the firewall is
> > enabled.  I think we already have this...
> 
> Yep, I agree, and whether or not it's in the distributed rc.firewall, I
> have the ports blocked in my hand-tuned version.
> 
> As to Stijn's remarks, he is putting up a strawman at best.  If a person
> runs X, it should be their responsibility to make sure that it's secure.
> Just like if they ran Windows or any other software with potential security
> holes.  X is plastered with warnings as it is, why do we need to cripple a
> function it supports?  Stijn, if it "opens up a hole in your network,"
> that's _your_ problem, not mine.  There are many other ways to secure your
> network than by turning off tcp connections by default in the X server.
> Hey, I'm not objecting to adding the capability, I'm just objecting to
> the fact that it was imposed upon everyone else by fiat and (worse) without
> warning.
> 
> And before people start saying again that this only affects a port and is
> irrelevant to the operating system itself, this is one symptom of what I
> see as a worsening problem.

I agree also.  Remember what has been stated before, "Tools, not Policy".
If we want to disable this by default, then there should be a customary
knob _where people expect/can see it_.  And if we are lacking the
mechanism to do it, then the change should wait until it is present.
It shouldn't be hacked into an unexpected place.

I would like to see this backed out.

-- 
Dan Eischen


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message