From owner-freebsd-hackers Tue Apr 23 12:55:30 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from tinker.exit.com (tinker.exit.com [206.223.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 3B61F37B448; Tue, 23 Apr 2002 12:54:32 -0700 (PDT) Received: from realtime.exit.com (realtime [206.223.0.5]) by tinker.exit.com (8.12.3/8.12.3) with ESMTP id g3NJsDcN078908; Tue, 23 Apr 2002 12:54:13 -0700 (PDT) (envelope-from frank@exit.com) Received: from realtime.exit.com (localhost [127.0.0.1]) by realtime.exit.com (8.12.2/8.12.2) with ESMTP id g3NJrxwn025080; Tue, 23 Apr 2002 12:53:59 -0700 (PDT) (envelope-from frank@realtime.exit.com) Received: (from frank@localhost) by realtime.exit.com (8.12.2/8.12.2/Submit) id g3NJrunH025061; Tue, 23 Apr 2002 12:53:56 -0700 (PDT) From: Frank Mayhar Message-Id: <200204231953.g3NJrunH025061@realtime.exit.com> Subject: More about security, X, rc.conf and changing defaults. In-Reply-To: <3CC5AE6E.9622AF93@mindspring.com> To: Terry Lambert Date: Tue, 23 Apr 2002 12:53:56 -0700 (PDT) Cc: Robert Watson , "Greg 'groggy' Lehey" , Jordan Hubbard , Oscar Bonilla , Anthony Schneider , Mike Meyer , hackers@FreeBSD.ORG Reply-To: frank@exit.com Organization: Exit Consulting X-Copyright0: Copyright 2002 Frank Mayhar. All Rights Reserved. X-Copyright1: Permission granted for electronic reproduction as Usenet News or email only. X-Mailer: ELM [version 2.4ME+ PL95a (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Terry Lambert wrote: > FWIW: I wouldn't object to a firewall rule that disallowed remote > TCP connections to the X server by default, if the firewall is > enabled. I think we already have this... Yep, I agree, and whether or not it's in the distributed rc.firewall, I have the ports blocked in my hand-tuned version. As to Stijn's remarks, he is putting up a strawman at best. If a person runs X, it should be their responsibility to make sure that it's secure. Just like if they ran Windows or any other software with potential security holes. X is plastered with warnings as it is, why do we need to cripple a function it supports? Stijn, if it "opens up a hole in your network," that's _your_ problem, not mine. There are many other ways to secure your network than by turning off tcp connections by default in the X server. Hey, I'm not objecting to adding the capability, I'm just objecting to the fact that it was imposed upon everyone else by fiat and (worse) without warning. And before people start saying again that this only affects a port and is irrelevant to the operating system itself, this is one symptom of what I see as a worsening problem. I agree with Warner that the former default should only be supported until the next major release, but that former default _should be supported_. Yeah, it's up to me as a sysadmin to notice this stuff and fix it, but how many people pay that much attention to the stuff in /etc/defaults when they are in the middle of upgrading a bread-and- butter system (to get it closer to the current -stable, so later improvements won't be so difficult to bring in) and are going as fast as they can? Much better, IMNSHO, to create the new /etc/rc.override (or whatever) script and let it bug the admin about the fact that the defaults have changed. And _not_ spring this sort of thing on the FreeBSD world unawares. Not all of us have time to pay attention to the mailing lists (or even _one_ of the mailing lists) to catch this sort of thing before it gets committed. Hey, I'm a software engineer for Wind River (with a fulltime job there), plus sole engineer and sysadmin for my own side business. I barely have time for _sleep_. -- Frank Mayhar frank@exit.com http://www.exit.com/ Exit Consulting http://www.gpsclock.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message