Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 24 Apr 2002 08:44:44 +0930
From:      Greg 'groggy' Lehey <grog@FreeBSD.org>
To:        Jochem Kossen <j.kossen@home.nl>
Cc:        hackers@FreeBSD.org
Subject:   Re: Security through obscurity? (was: ssh + compiled-in SKEY support considered harmful?)
Message-ID:  <20020424084444.N6425@wantadilla.lemis.com>
In-Reply-To: <200204231206.01451.j.kossen@home.nl>
References:  <rwatson@FreeBSD.ORG> <200204231009.51297.j.kossen@home.nl> <20020423183452.M6425@wantadilla.lemis.com> <200204231206.01451.j.kossen@home.nl>

next in thread | previous in thread | raw e-mail | index | archive | help
On Tuesday, 23 April 2002 at 12:06:01 +0200, Jochem Kossen wrote:
> On Tuesday 23 April 2002 11:04, you wrote:
> [...]
>>>>
>>>> I've been noticing a continuing trend for more and more "safe"
>>>> configurations the default.  I spent half a day recently trying to
>>>> find why I could no longer open windows on my X display, only to
>>>> discover that somebody had turned off tcp connections by default.
>>>
>>> *shrug* I was the one who sent in the patch. It was added some time
>>> around 2001/10/26 to the XFree86-4 megaport. When the metaport was
>>> created, the patch was incorporated too.
>>>
>>> A simple 'man startx' should have cleared your mind:
>>
>> Well, yes.  But I've been using X for 11 years.  Why should I have to
>> read the man page to find changes?
>
> Because things evolve? :)

Not a good reason.  If they evolve, the evolution should be more
clearly documented.

>> How do I know which man page to read?
>
> You start X with startx, seems obvious to me. The disabling of tcp
> connections only applies to startx

I don't stay with startx.  Next I go to xinit, then to Xwrapper, then
to X.  All of these work fine.  When I try to start an xterm, nothing
happens.  So I read the haystack of man pages for all these programs
looking for a possible needle?  That's 4314 lines of man pages
(Xwrapper doesn't have a man page, so Murphy says that it's probably
in Xwrapper).  Based on prior experience, startx would be the last
place I would look.  In fact, I suspected a networking problem.

>> If I did that for everything that happened, I wouldn't get any
>> work done.  And you can bet your bottom dollar that somebody coming
>> from another UNIX variant and trying out FreeBSD won't do so.
>
> OK, then i suggest we mention it in the handbook, the security policy
> document, the manpage AND the release notes :)

You've heard my suggestions.

>> They'll just say that it's broken and wander off again.

I note you don't comment on this one.

>>> In the case of the X patch, i'd add it to the release notes AND the
>>> security policy document, since - i think - few people will look in
>>> the security policy document for such a problem.
>>
>> I think it shouldn't happen at all unless people agree to it.
>
> 3 people did, 0 people did not...read below

So only 3 people use X?  Get real.  You just haven't heard any
objections up to now.  I found out about this several weeks ago, but I
didn't complain because I was expecting replies with the perspective
you're showing.

>>> I do have to say you're the first one I see who complains about
>>> this...
>>
>> Maybe the others have given up.
>
> LOL

THIS IS NO LAUGHING MATTER.  It's this kind of change which is going
to stop people from using FreeBSD.

>> But since we're on the subject, why?  What's so insecure about X TCP
>> connections?  Until you explicitly allow connections, the only system
>> that can open the server is the local system.
>
> For the simple reason I don't like useless open ports on my system. I
> don't use it, _most_ other people don't use it, so i sent in a
> patch.

Fine, I'm not telling you how to run your system.  I don't want you
telling me how to run my network.  I note that you still haven't given
a good technical reason for it.

> Of course, it was only discussed on the ports@ mailinglist, but it
> didn't seem like such a big deal to me or apparently the others...

That doesn't help end users.  We have a user community out there.

Greg
--
See complete headers for address and phone numbers

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020424084444.N6425>