Date: Tue, 23 May 2000 22:53:12 -0400 From: "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com> To: BD <bdeless@efn.org> Cc: Michael Robinson <robinson@netrinsics.com>, freebsd-security@FreeBSD.ORG Subject: Re: Web Server and Xwindows Message-ID: <20000523225312.C40441@cc942873-a.ewndsr1.nj.home.com> In-Reply-To: <Pine.GSU.4.05.10005231520330.23893-100000@garcia.efn.org>; from bdeless@efn.org on Tue, May 23, 2000 at 03:28:18PM -0700 References: <200005230358.LAA35900@netrinsics.com> <Pine.GSU.4.05.10005231520330.23893-100000@garcia.efn.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, May 23, 2000 at 03:28:18PM -0700, BD wrote: > I've never used or installed IPSEC although I'm aware that is part of > 4.0(?). Since I will only use X localy is this still necessary? I had > planned to use ipfw to block X at the interface. I am completly ignorant > when it comes to securing X (that's why I've never used it before). > > I apologize if this should have gone to questions but I felt this list was > probably where I would get the best answer. (list newbie) If you are only concerned about remote attacks from users with no authorized access to the box, then I think blocking the usual X ports is adequate. And do also make sure XDMCP is not enabled anyway. However, if you are concerned about users with accounts on the box, it's a different matter. X has plenty of setuid, and I would guess something like KDE adds a bunch more. X also is well known for letting average users mess with one another's "stuff" if not configured very tightly. But remember, if the X users are sitting at the box and have physical access to it... game's already over. No security without physical security, so why sweat over some possible, but as yet unknown, local X exploits? My $0.02. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000523225312.C40441>