Date: Wed, 24 Apr 2002 08:44:44 +0930 From: Greg 'groggy' Lehey <grog@FreeBSD.org> To: Jochem Kossen <j.kossen@home.nl> Cc: hackers@FreeBSD.org Subject: Re: Security through obscurity? (was: ssh + compiled-in SKEY support considered harmful?) Message-ID: <20020424084444.N6425@wantadilla.lemis.com> In-Reply-To: <200204231206.01451.j.kossen@home.nl> References: <rwatson@FreeBSD.ORG> <200204231009.51297.j.kossen@home.nl> <20020423183452.M6425@wantadilla.lemis.com> <200204231206.01451.j.kossen@home.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tuesday, 23 April 2002 at 12:06:01 +0200, Jochem Kossen wrote: > On Tuesday 23 April 2002 11:04, you wrote: > [...] >>>> >>>> I've been noticing a continuing trend for more and more "safe" >>>> configurations the default. I spent half a day recently trying to >>>> find why I could no longer open windows on my X display, only to >>>> discover that somebody had turned off tcp connections by default. >>> >>> *shrug* I was the one who sent in the patch. It was added some time >>> around 2001/10/26 to the XFree86-4 megaport. When the metaport was >>> created, the patch was incorporated too. >>> >>> A simple 'man startx' should have cleared your mind: >> >> Well, yes. But I've been using X for 11 years. Why should I have to >> read the man page to find changes? > > Because things evolve? :) Not a good reason. If they evolve, the evolution should be more clearly documented. >> How do I know which man page to read? > > You start X with startx, seems obvious to me. The disabling of tcp > connections only applies to startx I don't stay with startx. Next I go to xinit, then to Xwrapper, then to X. All of these work fine. When I try to start an xterm, nothing happens. So I read the haystack of man pages for all these programs looking for a possible needle? That's 4314 lines of man pages (Xwrapper doesn't have a man page, so Murphy says that it's probably in Xwrapper). Based on prior experience, startx would be the last place I would look. In fact, I suspected a networking problem. >> If I did that for everything that happened, I wouldn't get any >> work done. And you can bet your bottom dollar that somebody coming >> from another UNIX variant and trying out FreeBSD won't do so. > > OK, then i suggest we mention it in the handbook, the security policy > document, the manpage AND the release notes :) You've heard my suggestions. >> They'll just say that it's broken and wander off again. I note you don't comment on this one. >>> In the case of the X patch, i'd add it to the release notes AND the >>> security policy document, since - i think - few people will look in >>> the security policy document for such a problem. >> >> I think it shouldn't happen at all unless people agree to it. > > 3 people did, 0 people did not...read below So only 3 people use X? Get real. You just haven't heard any objections up to now. I found out about this several weeks ago, but I didn't complain because I was expecting replies with the perspective you're showing. >>> I do have to say you're the first one I see who complains about >>> this... >> >> Maybe the others have given up. > > LOL THIS IS NO LAUGHING MATTER. It's this kind of change which is going to stop people from using FreeBSD. >> But since we're on the subject, why? What's so insecure about X TCP >> connections? Until you explicitly allow connections, the only system >> that can open the server is the local system. > > For the simple reason I don't like useless open ports on my system. I > don't use it, _most_ other people don't use it, so i sent in a > patch. Fine, I'm not telling you how to run your system. I don't want you telling me how to run my network. I note that you still haven't given a good technical reason for it. > Of course, it was only discussed on the ports@ mailinglist, but it > didn't seem like such a big deal to me or apparently the others... That doesn't help end users. We have a user community out there. Greg -- See complete headers for address and phone numbers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020424084444.N6425>