From owner-freebsd-hackers  Tue Apr 23 16:38: 9 2002
Delivered-To: freebsd-hackers@freebsd.org
Received: from wantadilla.lemis.com (wantadilla.lemis.com [192.109.197.80])
	by hub.freebsd.org (Postfix) with ESMTP
	id F361837B416; Tue, 23 Apr 2002 16:37:50 -0700 (PDT)
Received: by wantadilla.lemis.com (Postfix, from userid 1004)
	id 30A30814A8; Wed, 24 Apr 2002 09:07:49 +0930 (CST)
Date: Wed, 24 Apr 2002 09:07:49 +0930
From: Greg 'groggy' Lehey <grog@FreeBSD.org>
To: Daniel Eischen <eischen@pcnet1.pcnet.com>
Cc: Frank Mayhar <frank@exit.com>,
	Terry Lambert <tlambert2@mindspring.com>,
	Robert Watson <rwatson@FreeBSD.ORG>,
	Jordan Hubbard <jkh@winston.freebsd.org>,
	Oscar Bonilla <obonilla@galileo.edu>,
	Anthony Schneider <aschneid@mail.slc.edu>,
	Mike Meyer <mwm-dated-1019955884.8b118e@mired.org>,
	hackers@FreeBSD.ORG
Subject: Re: More about security, X, rc.conf and changing defaults.
Message-ID: <20020424090749.P6425@wantadilla.lemis.com>
References: <200204231953.g3NJrunH025061@realtime.exit.com> <Pine.GSO.4.10.10204231624120.25950-100000@pcnet1.pcnet.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Pine.GSO.4.10.10204231624120.25950-100000@pcnet1.pcnet.com>
User-Agent: Mutt/1.3.23i
Organization: The FreeBSD Project
Phone: +61-8-8388-8286
Fax: +61-8-8388-8725
Mobile: +61-418-838-708
WWW-Home-Page: http://www.FreeBSD.org/
X-PGP-Fingerprint: 9A1B 8202 BCCE B846 F92F  09AC 22E6 F290 507A 4223
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

On Tuesday, 23 April 2002 at 16:35:55 -0400, Daniel Eischen wrote:
> On Tue, 23 Apr 2002, Frank Mayhar wrote:
>> Terry Lambert wrote:
>>> FWIW: I wouldn't object to a firewall rule that disallowed remote
>>> TCP connections to the X server by default, if the firewall is
>>> enabled.  I think we already have this...
>>
>> Yep, I agree, and whether or not it's in the distributed rc.firewall, I
>> have the ports blocked in my hand-tuned version.
>>
>> As to Stijn's remarks, he is putting up a strawman at best.  If a person
>> runs X, it should be their responsibility to make sure that it's secure.
>> Just like if they ran Windows or any other software with potential security
>> holes.  X is plastered with warnings as it is, why do we need to cripple a
>> function it supports?  Stijn, if it "opens up a hole in your network,"
>> that's _your_ problem, not mine.  There are many other ways to secure your
>> network than by turning off tcp connections by default in the X server.
>> Hey, I'm not objecting to adding the capability, I'm just objecting to
>> the fact that it was imposed upon everyone else by fiat and (worse) without
>> warning.
>>
>> And before people start saying again that this only affects a port and is
>> irrelevant to the operating system itself, this is one symptom of what I
>> see as a worsening problem.
>
> I agree also.  Remember what has been stated before, "Tools, not Policy".
> If we want to disable this by default, then there should be a customary
> knob _where people expect/can see it_.  And if we are lacking the
> mechanism to do it, then the change should wait until it is present.
> It shouldn't be hacked into an unexpected place.

Agreed entirely.

> I would like to see this backed out.

I think it would be reasonable to fix it by tying it to the
securelevel.

Greg
--
See complete headers for address and phone numbers

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message