From owner-freebsd-hackers Tue Apr 23 16:38: 9 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from wantadilla.lemis.com (wantadilla.lemis.com [192.109.197.80]) by hub.freebsd.org (Postfix) with ESMTP id F361837B416; Tue, 23 Apr 2002 16:37:50 -0700 (PDT) Received: by wantadilla.lemis.com (Postfix, from userid 1004) id 30A30814A8; Wed, 24 Apr 2002 09:07:49 +0930 (CST) Date: Wed, 24 Apr 2002 09:07:49 +0930 From: Greg 'groggy' Lehey To: Daniel Eischen Cc: Frank Mayhar , Terry Lambert , Robert Watson , Jordan Hubbard , Oscar Bonilla , Anthony Schneider , Mike Meyer , hackers@FreeBSD.ORG Subject: Re: More about security, X, rc.conf and changing defaults. Message-ID: <20020424090749.P6425@wantadilla.lemis.com> References: <200204231953.g3NJrunH025061@realtime.exit.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.23i Organization: The FreeBSD Project Phone: +61-8-8388-8286 Fax: +61-8-8388-8725 Mobile: +61-418-838-708 WWW-Home-Page: http://www.FreeBSD.org/ X-PGP-Fingerprint: 9A1B 8202 BCCE B846 F92F 09AC 22E6 F290 507A 4223 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tuesday, 23 April 2002 at 16:35:55 -0400, Daniel Eischen wrote: > On Tue, 23 Apr 2002, Frank Mayhar wrote: >> Terry Lambert wrote: >>> FWIW: I wouldn't object to a firewall rule that disallowed remote >>> TCP connections to the X server by default, if the firewall is >>> enabled. I think we already have this... >> >> Yep, I agree, and whether or not it's in the distributed rc.firewall, I >> have the ports blocked in my hand-tuned version. >> >> As to Stijn's remarks, he is putting up a strawman at best. If a person >> runs X, it should be their responsibility to make sure that it's secure. >> Just like if they ran Windows or any other software with potential security >> holes. X is plastered with warnings as it is, why do we need to cripple a >> function it supports? Stijn, if it "opens up a hole in your network," >> that's _your_ problem, not mine. There are many other ways to secure your >> network than by turning off tcp connections by default in the X server. >> Hey, I'm not objecting to adding the capability, I'm just objecting to >> the fact that it was imposed upon everyone else by fiat and (worse) without >> warning. >> >> And before people start saying again that this only affects a port and is >> irrelevant to the operating system itself, this is one symptom of what I >> see as a worsening problem. > > I agree also. Remember what has been stated before, "Tools, not Policy". > If we want to disable this by default, then there should be a customary > knob _where people expect/can see it_. And if we are lacking the > mechanism to do it, then the change should wait until it is present. > It shouldn't be hacked into an unexpected place. Agreed entirely. > I would like to see this backed out. I think it would be reasonable to fix it by tying it to the securelevel. Greg -- See complete headers for address and phone numbers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message