From: Michael Scherer (scherer.michaelfree.fr)
Date: Thu Oct 23 2003 - 08:42:43 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thursday 23 October 2003 14:27, Gavin Porter wrote:
> Hello,
>
> I have just installed Mandrake 9.2 in Paranoid mode and have a few
> observations.
>
> Generally, looks great and is even more smooth than 9.1
>
>
> X is defaulting to accepting TCP connections from anywhere. The
> default, particularly for the higher security levels, should be do
> disable TCP as a transport protocol to X leaving the more secure
> local domain sockets.
>
> My current approach for this is by editing /usr/X11R6/bin/startx to
> set the defaultserverargs variable to '-nolisten tcp'
>
> Do people think that this should perhaps be the default behaviour for
> all users?
>
> If not, I can build this into msec if there is some interest.

already in.

add
allow_x_connections (LOCAL)
 allow_xserver_to_listen (no)

to /etc/security/msec/level.local

>
>
> Another problem is that X does not work when the secure kernel is
> booted. The X server loads but is then killed by the kernel. A syslog
> entry suggests this is by PAX, although I don't know what PAX is.

yes, this is in the FAQ of grsecurity patch.
X use some syscall denied by the patch

--

Mickaël Scherer

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]