hi > Yep - network transparency is all well & good, but do you really want > something as complex as the X server sitting there with an open port to the world? exactly _THIS_ _IS_ what causese my headache! there _IS_ something as complex as the X server sitting there with an open port to the world - per default! the only chance to get rid of it, is to use unix domain socket (via -nolisten tcp) OR to add the option, to specify the interface bindings and be able to bind it to local loopback ONLY. I`d prefer the second one. BTW: on a server "out there on the internet" i even run samba - and i`m shure it never get`s hacked cause of a samba exploit. why? because i bound it to 127.0.0.1 only - and i`m doing ssh portforwarding with that.
ahhhh - btw - i see: on http://www.tightvnc.com/changelog-unix.html 2001-01-17 01:55 const Xvnc/programs/Xserver/hw/vnc/: init.c, rfb.h, sockets.c: Support for Xvnc -interface option added (patch from Tim Waught). feature seems to be in tightvnc already - so maybe we need just some code transfer (since vnc is xfree86 based) ? ;) regards roland ----- Original Message ----- From: "Keith Whitwell" <[EMAIL PROTECTED]> To: "Keith Packard" <[EMAIL PROTECTED]> Cc: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; "dri-devel" <[EMAIL PROTECTED]> Sent: Wednesday, November 19, 2003 9:15 AM Subject: security, cvs, was Re: interface bindings of x-server > Keith Packard wrote: > > Around 2 o'clock on Nov 19, "[EMAIL PROTECTED]" wrote: > > > > > >>Keith, could you put this (being able to specify the interface bindings of > >>the xserver on the commandline) as a feature request on http:// > >>www.freedesktop.org/Software/XserverWishlist if you find this feature > >>request useful ? i registerd a wiki account, but logging in doesn`t seem to > >>work for me. > > > > > > I'd like to switch the server so that -nolisten tcp is the default; I > > don't see much sense in having it listen to even 127.0.0.1. But, if you > > wanted to make the list of IP addresses that the server bound to > > configurable, that seems like a good idea. > > Yep - network transparency is all well & good, but do you really want > something as complex as the X server sitting there with an open port to the world? > > On a related issue, does anyone understand what the actual flaw in pserver CVS > is that allowed the linux backdoor attempt? There's been a lot of talk about > the implications of the attempt, but I haven't heard anyone come out and say > "This is the fault in CVS, here's a patch, everything's ok now". > > Is it foolhardy to continue running anoncvs, especially without the checks & > balances which caught the backdoor attempt in linux? > > Keith >
