OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Bryan Paxton (evil7deadhorse.net)
Date: Tue Jan 29 2002 - 21:40:09 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    On Tue, 2002-01-29 at 21:18, Vincent Danen wrote:
    > On Tue Jan 29, 2002 at 08:24:30PM +0200, Tzafrir Cohen wrote:
    >
    > > > > Not really a brand new thing, but with all the MDK releases
    > > > > I tried (and I remember with Red Hat also..),
    > > > > the XFree port 6000 is open and listening.
    > > > > There are indirect security risks with this policy
    > > > > (DoS, X server freeze), so wouldn't be better to keep
    > > > > that port closed by default?
    > > > > Joe User -and Mike PowerUser as well ;-) - don't need
    > > > > an X server listening.
    > > > > A "-nolisten tcp" parsed to DEFAULTCLIENTARGS and
    > > > > DEFAULTSERVERARGS within startx would be enough.
    > > >
    > > > I agree.I've forwarded the message and hopefully we can get this
    > > > fixed by the XFree86 maintainer.
    > >
    > > Just one thing:
    > >
    > > Make sure that Mike PowerUser can easily enable this back (and that this
    > > change will not get discarded with the next XFree upgrade), because
    > > in some places you just can't use ssh for your X connections.
    >
    > I did mention that it should be easy enough to re-enable, but should
    > be disabled by default (maybe some /etc/sysconfig setting).
    >

     Agreed... I had been pushing for this a back 7.x, glad to see
    something is finally getting done. This does have one side effect
    however, a QA might want to be done a little, since the server is not
    listening on port 6000, the client can not do auth with it (thus only
    local can run X). However, this can create a problem, some application
    get cranky when they can't auth with X11 (Which is a good thing). So,
    some QA wouldn't hurt, it's always a good idea to keep the end-user in
    mind when implementing new security enhancements. 

    -- 
Bryan Paxton
Public PGP key: http://www.deadhorse.net/bpaxton.gpg

    "What laughter, why joy, when constantly aflame? Enveloped in darkness, 
don't you look for a lamp?"
Dhp. 163

    For help, email discuss-helpmandrakesecure.net; to unsubscribe send a
message to discuss-unsubscribemandrakesecure.net.  To visit MandrakeSecure,
go to http://www.mandrakesecure.net/.