From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 31361 invoked by alias); 19 Nov 2003 09:22:03 -0000 Mailing-List: contact cygwin-xfree-help@cygwin.com; run by ezmlm Precedence: bulk List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-xfree-owner@cygwin.com Mail-Followup-To: cygwin-xfree@cygwin.com Reply-To: cygwin-xfree@cygwin.com Received: (qmail 31352 invoked from network); 19 Nov 2003 09:22:01 -0000 Received: from unknown (HELO smtp.web.de) (217.72.192.208) by sources.redhat.com with SMTP; 19 Nov 2003 09:22:01 -0000 Received: from [217.81.227.196] (helo=schlepptopp) by smtp.web.de with smtp (WEB.DE 4.99 #516) id 1AMOWZ-0005IK-00; Wed, 19 Nov 2003 10:21:23 +0100 Message-ID: <054901c3ae7f$16b6bc60$2000000a@schlepptopp> From: "roland@webde" To: "Keith Whitwell" , "Keith Packard" Cc: , References: <3FBB269A.9080306@tungstengraphics.com> Subject: Re: security, cvs, was Re: interface bindings of x-server Date: Wed, 19 Nov 2003 09:22:00 -0000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-SW-Source: 2003-11/txt/msg00257.txt.bz2 List-Id: hi > Yep - network transparency is all well & good, but do you really want > something as complex as the X server sitting there with an open port to the world? exactly _THIS_ _IS_ what causese my headache! there _IS_ something as complex as the X server sitting there with an open port to the world - per default! the only chance to get rid of it, is to use unix domain socket (via -nolisten tcp) OR to add the option, to specify the interface bindings and be able to bind it to local loopback ONLY. I`d prefer the second one. BTW: on a server "out there on the internet" i even run samba - and i`m shure it never get`s hacked cause of a samba exploit. why? because i bound it to 127.0.0.1 only - and i`m doing ssh portforwarding with that. ahhhh - btw - i see: on http://www.tightvnc.com/changelog-unix.html 2001-01-17 01:55 const Xvnc/programs/Xserver/hw/vnc/: init.c, rfb.h, sockets.c: Support for Xvnc -interface option added (patch from Tim Waught). feature seems to be in tightvnc already - so maybe we need just some code transfer (since vnc is xfree86 based) ? ;) regards roland ----- Original Message ----- From: "Keith Whitwell" To: "Keith Packard" Cc: "roland@webde" ; ; ; "dri-devel" Sent: Wednesday, November 19, 2003 9:15 AM Subject: security, cvs, was Re: interface bindings of x-server > Keith Packard wrote: > > Around 2 o'clock on Nov 19, "roland@webde" wrote: > > > > > >>Keith, could you put this (being able to specify the interface bindings of > >>the xserver on the commandline) as a feature request on http:// > >>www.freedesktop.org/Software/XserverWishlist if you find this feature > >>request useful ? i registerd a wiki account, but logging in doesn`t seem to > >>work for me. > > > > > > I'd like to switch the server so that -nolisten tcp is the default; I > > don't see much sense in having it listen to even 127.0.0.1. But, if you > > wanted to make the list of IP addresses that the server bound to > > configurable, that seems like a good idea. > > Yep - network transparency is all well & good, but do you really want > something as complex as the X server sitting there with an open port to the world? > > On a related issue, does anyone understand what the actual flaw in pserver CVS > is that allowed the linux backdoor attempt? There's been a lot of talk about > the implications of the attempt, but I haven't heard anyone come out and say > "This is the fault in CVS, here's a patch, everything's ok now". > > Is it foolhardy to continue running anoncvs, especially without the checks & > balances which caught the backdoor attempt in linux? > > Keith >