From owner-freebsd-hackers Tue Apr 23 16:15: 3 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from wantadilla.lemis.com (wantadilla.lemis.com [192.109.197.80]) by hub.freebsd.org (Postfix) with ESMTP id A06A537B416 for ; Tue, 23 Apr 2002 16:14:46 -0700 (PDT) Received: by wantadilla.lemis.com (Postfix, from userid 1004) id 172B581458; Wed, 24 Apr 2002 08:44:44 +0930 (CST) Date: Wed, 24 Apr 2002 08:44:44 +0930 From: Greg 'groggy' Lehey To: Jochem Kossen Cc: hackers@FreeBSD.org Subject: Re: Security through obscurity? (was: ssh + compiled-in SKEY support considered harmful?) Message-ID: <20020424084444.N6425@wantadilla.lemis.com> References: <200204231009.51297.j.kossen@home.nl> <20020423183452.M6425@wantadilla.lemis.com> <200204231206.01451.j.kossen@home.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200204231206.01451.j.kossen@home.nl> User-Agent: Mutt/1.3.23i Organization: The FreeBSD Project Phone: +61-8-8388-8286 Fax: +61-8-8388-8725 Mobile: +61-418-838-708 WWW-Home-Page: http://www.FreeBSD.org/ X-PGP-Fingerprint: 9A1B 8202 BCCE B846 F92F 09AC 22E6 F290 507A 4223 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tuesday, 23 April 2002 at 12:06:01 +0200, Jochem Kossen wrote: > On Tuesday 23 April 2002 11:04, you wrote: > [...] >>>> >>>> I've been noticing a continuing trend for more and more "safe" >>>> configurations the default. I spent half a day recently trying to >>>> find why I could no longer open windows on my X display, only to >>>> discover that somebody had turned off tcp connections by default. >>> >>> *shrug* I was the one who sent in the patch. It was added some time >>> around 2001/10/26 to the XFree86-4 megaport. When the metaport was >>> created, the patch was incorporated too. >>> >>> A simple 'man startx' should have cleared your mind: >> >> Well, yes. But I've been using X for 11 years. Why should I have to >> read the man page to find changes? > > Because things evolve? :) Not a good reason. If they evolve, the evolution should be more clearly documented. >> How do I know which man page to read? > > You start X with startx, seems obvious to me. The disabling of tcp > connections only applies to startx I don't stay with startx. Next I go to xinit, then to Xwrapper, then to X. All of these work fine. When I try to start an xterm, nothing happens. So I read the haystack of man pages for all these programs looking for a possible needle? That's 4314 lines of man pages (Xwrapper doesn't have a man page, so Murphy says that it's probably in Xwrapper). Based on prior experience, startx would be the last place I would look. In fact, I suspected a networking problem. >> If I did that for everything that happened, I wouldn't get any >> work done. And you can bet your bottom dollar that somebody coming >> from another UNIX variant and trying out FreeBSD won't do so. > > OK, then i suggest we mention it in the handbook, the security policy > document, the manpage AND the release notes :) You've heard my suggestions. >> They'll just say that it's broken and wander off again. I note you don't comment on this one. >>> In the case of the X patch, i'd add it to the release notes AND the >>> security policy document, since - i think - few people will look in >>> the security policy document for such a problem. >> >> I think it shouldn't happen at all unless people agree to it. > > 3 people did, 0 people did not...read below So only 3 people use X? Get real. You just haven't heard any objections up to now. I found out about this several weeks ago, but I didn't complain because I was expecting replies with the perspective you're showing. >>> I do have to say you're the first one I see who complains about >>> this... >> >> Maybe the others have given up. > > LOL THIS IS NO LAUGHING MATTER. It's this kind of change which is going to stop people from using FreeBSD. >> But since we're on the subject, why? What's so insecure about X TCP >> connections? Until you explicitly allow connections, the only system >> that can open the server is the local system. > > For the simple reason I don't like useless open ports on my system. I > don't use it, _most_ other people don't use it, so i sent in a > patch. Fine, I'm not telling you how to run your system. I don't want you telling me how to run my network. I note that you still haven't given a good technical reason for it. > Of course, it was only discussed on the ports@ mailinglist, but it > didn't seem like such a big deal to me or apparently the others... That doesn't help end users. We have a user community out there. Greg -- See complete headers for address and phone numbers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message