From owner-freebsd-hackers  Tue Apr 23 16:15: 3 2002
Delivered-To: freebsd-hackers@freebsd.org
Received: from wantadilla.lemis.com (wantadilla.lemis.com [192.109.197.80])
	by hub.freebsd.org (Postfix) with ESMTP id A06A537B416
	for <hackers@FreeBSD.org>; Tue, 23 Apr 2002 16:14:46 -0700 (PDT)
Received: by wantadilla.lemis.com (Postfix, from userid 1004)
	id 172B581458; Wed, 24 Apr 2002 08:44:44 +0930 (CST)
Date: Wed, 24 Apr 2002 08:44:44 +0930
From: Greg 'groggy' Lehey <grog@FreeBSD.org>
To: Jochem Kossen <j.kossen@home.nl>
Cc: hackers@FreeBSD.org
Subject: Re: Security through obscurity? (was: ssh + compiled-in SKEY support considered harmful?)
Message-ID: <20020424084444.N6425@wantadilla.lemis.com>
References: <rwatson@FreeBSD.ORG> <200204231009.51297.j.kossen@home.nl> <20020423183452.M6425@wantadilla.lemis.com> <200204231206.01451.j.kossen@home.nl>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200204231206.01451.j.kossen@home.nl>
User-Agent: Mutt/1.3.23i
Organization: The FreeBSD Project
Phone: +61-8-8388-8286
Fax: +61-8-8388-8725
Mobile: +61-418-838-708
WWW-Home-Page: http://www.FreeBSD.org/
X-PGP-Fingerprint: 9A1B 8202 BCCE B846 F92F  09AC 22E6 F290 507A 4223
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

On Tuesday, 23 April 2002 at 12:06:01 +0200, Jochem Kossen wrote:
> On Tuesday 23 April 2002 11:04, you wrote:
> [...]
>>>>
>>>> I've been noticing a continuing trend for more and more "safe"
>>>> configurations the default.  I spent half a day recently trying to
>>>> find why I could no longer open windows on my X display, only to
>>>> discover that somebody had turned off tcp connections by default.
>>>
>>> *shrug* I was the one who sent in the patch. It was added some time
>>> around 2001/10/26 to the XFree86-4 megaport. When the metaport was
>>> created, the patch was incorporated too.
>>>
>>> A simple 'man startx' should have cleared your mind:
>>
>> Well, yes.  But I've been using X for 11 years.  Why should I have to
>> read the man page to find changes?
>
> Because things evolve? :)

Not a good reason.  If they evolve, the evolution should be more
clearly documented.

>> How do I know which man page to read?
>
> You start X with startx, seems obvious to me. The disabling of tcp
> connections only applies to startx

I don't stay with startx.  Next I go to xinit, then to Xwrapper, then
to X.  All of these work fine.  When I try to start an xterm, nothing
happens.  So I read the haystack of man pages for all these programs
looking for a possible needle?  That's 4314 lines of man pages
(Xwrapper doesn't have a man page, so Murphy says that it's probably
in Xwrapper).  Based on prior experience, startx would be the last
place I would look.  In fact, I suspected a networking problem.

>> If I did that for everything that happened, I wouldn't get any
>> work done.  And you can bet your bottom dollar that somebody coming
>> from another UNIX variant and trying out FreeBSD won't do so.
>
> OK, then i suggest we mention it in the handbook, the security policy
> document, the manpage AND the release notes :)

You've heard my suggestions.

>> They'll just say that it's broken and wander off again.

I note you don't comment on this one.

>>> In the case of the X patch, i'd add it to the release notes AND the
>>> security policy document, since - i think - few people will look in
>>> the security policy document for such a problem.
>>
>> I think it shouldn't happen at all unless people agree to it.
>
> 3 people did, 0 people did not...read below

So only 3 people use X?  Get real.  You just haven't heard any
objections up to now.  I found out about this several weeks ago, but I
didn't complain because I was expecting replies with the perspective
you're showing.

>>> I do have to say you're the first one I see who complains about
>>> this...
>>
>> Maybe the others have given up.
>
> LOL

THIS IS NO LAUGHING MATTER.  It's this kind of change which is going
to stop people from using FreeBSD.

>> But since we're on the subject, why?  What's so insecure about X TCP
>> connections?  Until you explicitly allow connections, the only system
>> that can open the server is the local system.
>
> For the simple reason I don't like useless open ports on my system. I
> don't use it, _most_ other people don't use it, so i sent in a
> patch.

Fine, I'm not telling you how to run your system.  I don't want you
telling me how to run my network.  I note that you still haven't given
a good technical reason for it.

> Of course, it was only discussed on the ports@ mailinglist, but it
> didn't seem like such a big deal to me or apparently the others...

That doesn't help end users.  We have a user community out there.

Greg
--
See complete headers for address and phone numbers

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message