OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Vincent Danen (vdanenmandrakesoft.com)
Date: Wed Jan 30 2002 - 17:15:06 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    On Tue Jan 29, 2002 at 09:40:09PM -0600, Bryan Paxton wrote:

    > > > > > Not really a brand new thing, but with all the MDK releases
    > > > > > I tried (and I remember with Red Hat also..),
    > > > > > the XFree port 6000 is open and listening.
    > > > > > There are indirect security risks with this policy
    > > > > > (DoS, X server freeze), so wouldn't be better to keep
    > > > > > that port closed by default?
    > > > > > Joe User -and Mike PowerUser as well ;-) - don't need
    > > > > > an X server listening.
    > > > > > A "-nolisten tcp" parsed to DEFAULTCLIENTARGS and
    > > > > > DEFAULTSERVERARGS within startx would be enough.
    > > > >
    > > > > I agree.I've forwarded the message and hopefully we can get this
    > > > > fixed by the XFree86 maintainer.
    > > >
    > > > Just one thing:
    > > >
    > > > Make sure that Mike PowerUser can easily enable this back (and that this
    > > > change will not get discarded with the next XFree upgrade), because
    > > > in some places you just can't use ssh for your X connections.
    > >
    > > I did mention that it should be easy enough to re-enable, but should
    > > be disabled by default (maybe some /etc/sysconfig setting).
    >
    > Agreed... I had been pushing for this a back 7.x, glad to see
    > something is finally getting done. This does have one side effect
    > however, a QA might want to be done a little, since the server is not
    > listening on port 6000, the client can not do auth with it (thus only
    > local can run X). However, this can create a problem, some application
    > get cranky when they can't auth with X11 (Which is a good thing). So,
    > some QA wouldn't hurt, it's always a good idea to keep the end-user in
    > mind when implementing new security enhancements.

    Absolutely. It needs to be done in a way that is easy to undo and
    will work as expected despite how it is set.

    Personally, I think this might be something for msec to take care of... 

    -- 
MandrakeSoft Security, OpenPGP key available on www.keyserver.net
1024D/FE6F2AFD   88D8 0D23 8D4B 3407 5BD7  66F9 2043 D0E5 FE6F 2AFD

    Current Linux kernel 2.4.8-34.1mdk uptime: 7 days 21 hours 12 minutes.

    -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org

    iD8DBQE8WH56IEPQ5f5vKv0RAgmtAKCsZLKJZKEiWrp4vYtUtFY/MQHBvwCbBamb 7WRMT8qLi7mGSZcaWOpQ/QQ= =+rao -----END PGP SIGNATURE-----