This is the mail archive of the cygwin-xfree@cygwin.com mailing list for the Cygwin XFree86 project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: security, cvs, was Re: interface bindings of x-server


hi

> Yep - network transparency is all well & good, but do you really want
> something as complex as the X server sitting there with an open port to the world?
exactly _THIS_ _IS_ what causese my headache! there _IS_ something as complex as the X server
sitting there with an open port to the world - per default!
the only chance to get rid of it, is to use unix domain socket (via -nolisten tcp)  OR to
add the option, to specify the interface bindings and be able to bind it to local loopback
ONLY. I`d prefer the second one.
BTW: on a server "out there on the internet" i even run samba - and i`m shure it never get`s
hacked cause of a samba exploit. why? because i bound it to 127.0.0.1 only - and i`m doing
ssh portforwarding with that.

ahhhh - btw - i see:
on http://www.tightvnc.com/changelog-unix.html
2001-01-17 01:55 const
Xvnc/programs/Xserver/hw/vnc/: init.c, rfb.h, sockets.c: Support for Xvnc -interface
option added (patch from Tim Waught).

feature seems to be in tightvnc already - so maybe we need just some code transfer (since vnc is xfree86
based) ? ;)

regards
roland



----- Original Message ----- 
From: "Keith Whitwell" <keith@tungstengraphics.com>
To: "Keith Packard" <keithp@keithp.com>
Cc: "roland@webde" <devzero@web.de>; <cygwin-xfree@cygwin.com>; <xserver@pdx.freedesktop.org>; "dri-devel"
<dri-devel@lists.sourceforge.net>
Sent: Wednesday, November 19, 2003 9:15 AM
Subject: security, cvs, was Re: interface bindings of x-server


> Keith Packard wrote:
> > Around 2 o'clock on Nov 19, "roland@webde" wrote:
> >
> >
> >>Keith, could you put this (being able to specify the interface bindings of
> >>the xserver on the commandline) as a feature request on http://
> >>www.freedesktop.org/Software/XserverWishlist if you find this feature
> >>request useful ? i registerd a wiki account, but logging in doesn`t seem to
> >>work for me.
> >
> >
> > I'd like to switch the server so that -nolisten tcp is the default; I
> > don't see much sense in having it listen to even 127.0.0.1.  But, if you
> > wanted to make the list of IP addresses that the server bound to
> > configurable, that seems like a good idea.
>
> Yep - network transparency is all well & good, but do you really want
> something as complex as the X server sitting there with an open port to the world?
>
> On a related issue, does anyone understand what the actual flaw in pserver CVS
> is that allowed the linux backdoor attempt?  There's been a lot of talk about
> the implications of the attempt, but I haven't heard anyone come out and say
> "This is the fault in CVS, here's a patch, everything's ok now".
>
> Is it foolhardy to continue running anoncvs, especially without the checks &
> balances which caught the backdoor attempt in linux?
>
> Keith
>


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]