From owner-freebsd-security  Tue May 23 19:53:30 2000
Delivered-To: freebsd-security@freebsd.org
Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207])
	by hub.freebsd.org (Postfix) with ESMTP id D330F37BB3D
	for <freebsd-security@FreeBSD.ORG>; Tue, 23 May 2000 19:53:23 -0700 (PDT)
	(envelope-from cjc@cc942873-a.ewndsr1.nj.home.com)
Received: (from cjc@localhost)
	by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id WAA40604;
	Tue, 23 May 2000 22:53:12 -0400 (EDT)
	(envelope-from cjc)
Date: Tue, 23 May 2000 22:53:12 -0400
From: "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com>
To: BD <bdeless@efn.org>
Cc: Michael Robinson <robinson@netrinsics.com>,
	freebsd-security@FreeBSD.ORG
Subject: Re: Web Server and Xwindows
Message-ID: <20000523225312.C40441@cc942873-a.ewndsr1.nj.home.com>
Reply-To: cjclark@home.com
References: <200005230358.LAA35900@netrinsics.com> <Pine.GSU.4.05.10005231520330.23893-100000@garcia.efn.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0i
In-Reply-To: <Pine.GSU.4.05.10005231520330.23893-100000@garcia.efn.org>; from bdeless@efn.org on Tue, May 23, 2000 at 03:28:18PM -0700
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Tue, May 23, 2000 at 03:28:18PM -0700, BD wrote:
> I've never used or installed IPSEC although I'm aware that is part of
> 4.0(?). Since I will only use X localy is this still necessary? I had
> planned to use ipfw to block X at the interface. I am completly ignorant
> when it comes to securing X (that's why I've never used it before).
> 
> I apologize if this should have gone to questions but I felt this list was
> probably where I would get the best answer. (list newbie)

If you are only concerned about remote attacks from users with no
authorized access to the box, then I think blocking the usual X ports
is adequate. And do also make sure XDMCP is not enabled anyway.

However, if you are concerned about users with accounts on the box,
it's a different matter. X has plenty of setuid, and I would guess
something like KDE adds a bunch more. X also is well known for letting
average users mess with one another's "stuff" if not configured very
tightly.

But remember, if the X users are sitting at the box and have physical
access to it... game's already over. No security without physical
security, so why sweat over some possible, but as yet unknown, local X
exploits?

My $0.02.
-- 
Crist J. Clark                           cjclark@home.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message