From owner-freebsd-hackers Wed Apr 24 2:40:29 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from scaup.prod.itd.earthlink.net (scaup.mail.pas.earthlink.net [207.217.120.49]) by hub.freebsd.org (Postfix) with ESMTP id 9FC7A37B41D; Wed, 24 Apr 2002 02:40:23 -0700 (PDT) Received: from pool0066.cvx21-bradley.dialup.earthlink.net ([209.179.192.66] helo=mindspring.com) by scaup.prod.itd.earthlink.net with esmtp (Exim 3.33 #2) id 170JDk-0005BN-00; Wed, 24 Apr 2002 02:37:52 -0700 Message-ID: <3CC67CD3.A16A0F66@mindspring.com> Date: Wed, 24 Apr 2002 02:37:23 -0700 From: Terry Lambert X-Mailer: Mozilla 4.7 [en]C-CCK-MCD {Sony} (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Robert Watson Cc: Greg 'groggy' Lehey , Jordan Hubbard , Oscar Bonilla , Anthony Schneider , Mike Meyer , hackers@FreeBSD.ORG Subject: Re: Security through obscurity? (was: ssh + compiled-in SKEY support considered harmful?) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Robert Watson wrote: > On Wed, 24 Apr 2002, Greg 'groggy' Lehey wrote: > > > A more conservative default configuration results in a material > > > improvement in system security. > > > > *snip* > > By snipping here, you removed reference to the fact that this was a > general discussion of direction and policy, rather than specifically to do > with X11, which provides an answer to a number of your questions. People really try to avoid policy decisions; they trap them into doing in the future what they say now that they will do in the future (damned consistency!). > As indicated, not all of these criteria may apply in every case -- this > was just a suggested list of criteria that might be applied. There have > been a number of vulnerabilities in a number of different X protocol > implementations. Many of them require first getting past the normal X > access control mechanisms before they may be exploited, but not all. ??? Which ones don't require that? The only ones I can think of are TCP vulnerabilities (as I said before), and you aren't going to fix a TCP vulnerability unless you turn off *all* TCP-based services, not just X11. > If you think that's a problem, then you didn't read my e-mail. However, > there is actually a great deal of relevance here: protocol and > implementation complexity have a lot to do with the chances that there > will be a serious vulnerability. Likewise, the level of privilege > associated with X11 is highly relevant: if you compromise the X server, > you've got a lot to play with. I keep hearing "complexity := vulnerability". I'd really, really like to see a mathematical proof of this theory. [ ... ] > We adapt a number of applications for the FreeBSD environment and > configuration. A more common way to distinguish our localizations is > through a WITH_GRATUITOUS_LOCAL_CHANGES make argument, or via an > interactice interface (for example, ghostscript). 8-) 8-) I like it. [ ... ] > If we can expose this feature via > rc.conf, just make it a seperate rc.conf entry and twiddle it off of the > security configuration manu in sysinstall. Is that something we can do > easily? I think the way to do this is with firewall rules. Making everything read rc.conf is a pretty useless thing to do. It's also dangerous to make a single rc.conf line apply to more than one thing, since then it permits alternate (potentially conflicting) interpretations of meaning. -- Terry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message