Date: Tue, 23 Apr 2002 08:33:11 -0300 From: "Daniel C. Sobral" <dcs@newsguy.com> To: Jochem Kossen <j.kossen@home.nl> Cc: "Greg 'groggy' Lehey" <grog@FreeBSD.ORG>, hackers@FreeBSD.ORG Subject: Re: Security through obscurity? (was: ssh + compiled-in SKEY support considered harmful?) Message-ID: <3CC54677.78F358D9@newsguy.com> References: <rwatson@FreeBSD.ORG> <11670.1019530386@winston.freebsd.org> <20020423131646.I6425@wantadilla.lemis.com> <200204231009.51297.j.kossen@home.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
Jochem Kossen wrote: > > *shrug* I was the one who sent in the patch. It was added some time > around 2001/10/26 to the XFree86-4 megaport. When the metaport was > created, the patch was incorporated too. > > A simple 'man startx' should have cleared your mind: > > Except for the '-listen_tcp' option, arguments immediately > following the startx command are used to start a client in > the same manner as xinit(1). The '-listen_tcp' option of > startx enables the TCP/IP transport type which is needed > for remote X displays. This is disabled by default for > security reasons. > ... > > I'd agree with option 2. Except that people trying to use X with tcp > connections probably won't look in the security policy document for a > solution. In the case of the X patch, i'd add it to the release notes > AND the security policy document, since - i think - few people will > look in the security policy document for such a problem. > > I do have to say you're the first one I see who complains about this... Well, since I have only complained, however loudly, on the irc channel, let me pipe in. It is inconvenient, to say the least, to have to exit X after over 40 shell sessions are open because you suddenly realize X just stopped opening the TCP port out of nothing after you last upgraded it. Or because you forgot to use the -listen_tcp option, not unusual since I never needed it before. An changing the script is not good enough either, since a portupgrade -a may change it back. Do you use remote X clients at all? Because I cannot conceive of a person who does and cannot understand how against POLA this change is. The -listen_tcp option is ridiculous to me. You must never *HAVE* to resort to a parameter for a thing which is not only the default but the the _only_ way you want it. The port *SHOULD* indicate that the listen port is no longer the default, and the *MUST* be a way of saying you want it always, either a port option so I can put it in make.conf, or an environment variable so I can put it in login.conf. But security is good. As a matter of fact, I'll change loader not to load a kernel by default, since this is a security hole in case the machine reboots. But don't worry, I'll document it in loader(8). -- Daniel C. Sobral (8-DCS) dcs@newsguy.com dcs@freebsd.org capo@international.bsdconspiracy.net "They did what they could to help her, using human skills -- and then, when that failed, left it in the hands of the gods. In this case," he bowed slightly, "myself. Like it or not," the demon continued, "that is my status in this region. Take it up with my priests if it bothers you." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3CC54677.78F358D9>