Wasn't asked but i'm answering anyway ;)
On Fri, 24 Sep 1999 [EMAIL PROTECTED] wrote:
>
> "Be careful with xhost. Xwindows tends to have lots of security issues
> (http://www.securityportal.com/list-archive/bugtraq/). Setting "xhost
> +" will allow *anybody* to make a connection to your box on port 6000.
> It is much better to specify the specific hosts that you wish to allow
> to connect by entering xhost [IP address of hostname]. For example,
> "xhost 192.168.0.5""
>
> Sorry about bugging you, but as the maintainer of MandrakeUser.Org I
> have some
> questions about this. I hope you can spend some time on answering them:
>
> You're not bugging me. These are excellent questions. BTW, as for
> mandrakeusr.org, my hat's off to you (pun intended). I like what you're
> doing there. Please keep it up.
>
> 1) What if the user hasn't assigned an IP address to his machine? Will
> "127.0.0.1" be as secure as specifying a distinct IP? Does it make his
> machine
> vunerable if he goes online?
127.0.0.1 _is_ a distinct IP. DISPLAY=127.0.0.1:0 or DISPLAY=:0 will work
DISPLAY=127.0.0.2:0 (it's the same machine just diff ip) however will not.
You'll run into problems maybe with dynamic ip'd connections doing this,
eventualy.
> It is all too easy to get into bad security habits when using a
> standalong linux box. Using root instead of an ordinary user ID, using
> cheesey passwords, and so on. Allowing X connections from anywhere is a
> minor sin, but easily avoidable. Bad security habits that one can get
> away with on standalone machine become deadly when transferred to
> production environments. As the saying goes, "old habits die hard".
> Security habits die harder than most budding sysadmins think.
>
> 2) If not, what would you think is a secure measure for such users?
xhost +local:
aliviates any IP changeing problems but still opens your X display to any
one that can get access to the machine.
> A user of a standalone machine should behave as if the system were a
> production system on the Internet. Doing so will make for better
> real-world system administration, (and security administration,
> something that is inherent in system administration), skills and habits.
>
> 3) Can you think of an secure, automated way of opening the display for
> root?
man xauth, he's your bestest friend..
> Using SSH is one way to mitigate security concerns. Specifying only
> localhost as the display is another good thing to do. I'm sure there
> are other measures one can take, but security must always be weighed
> against utility. Ultimately, there is no such thing as security, only
> mitigation of INsecurity.
>
> Cheers,
>
> PES
>
I'm not saying he was wrong i just wanted to add to it..
toodles.
--
MandrakeSoft http://www.mandrakesoft.com/
--Axalon
