Do you know how to turn off screensaver so that it doesn't go blank at the
command interpreter? Please Let me know if you do.
----- Original Message -----
From: Axalon Bloodstone <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, September 24, 1999 1:29 PM
Subject: RE: RE: Re: [expert] KDE, GNOME, and Enlightenment
>
> Wasn't asked but i'm answering anyway ;)
>
> On Fri, 24 Sep 1999 [EMAIL PROTECTED] wrote:
>
> >
> > "Be careful with xhost. Xwindows tends to have lots of security issues
> > (http://www.securityportal.com/list-archive/bugtraq/). Setting "xhost
> > +" will allow *anybody* to make a connection to your box on port 6000.
> > It is much better to specify the specific hosts that you wish to allow
> > to connect by entering xhost [IP address of hostname]. For example,
> > "xhost 192.168.0.5""
> >
> > Sorry about bugging you, but as the maintainer of MandrakeUser.Org I
> > have some
> > questions about this. I hope you can spend some time on answering them:
> >
> > You're not bugging me. These are excellent questions. BTW, as for
> > mandrakeusr.org, my hat's off to you (pun intended). I like what you're
> > doing there. Please keep it up.
> >
> > 1) What if the user hasn't assigned an IP address to his machine? Will
> > "127.0.0.1" be as secure as specifying a distinct IP? Does it make his
> > machine
> > vunerable if he goes online?
>
> 127.0.0.1 _is_ a distinct IP. DISPLAY=127.0.0.1:0 or DISPLAY=:0 will work
> DISPLAY=127.0.0.2:0 (it's the same machine just diff ip) however will not.
> You'll run into problems maybe with dynamic ip'd connections doing this,
> eventualy.
>
> > It is all too easy to get into bad security habits when using a
> > standalong linux box. Using root instead of an ordinary user ID, using
> > cheesey passwords, and so on. Allowing X connections from anywhere is a
> > minor sin, but easily avoidable. Bad security habits that one can get
> > away with on standalone machine become deadly when transferred to
> > production environments. As the saying goes, "old habits die hard".
> > Security habits die harder than most budding sysadmins think.
> >
> > 2) If not, what would you think is a secure measure for such users?
>
> xhost +local:
> aliviates any IP changeing problems but still opens your X display to any
> one that can get access to the machine.
>
> > A user of a standalone machine should behave as if the system were a
> > production system on the Internet. Doing so will make for better
> > real-world system administration, (and security administration,
> > something that is inherent in system administration), skills and habits.
> >
> > 3) Can you think of an secure, automated way of opening the display for
> > root?
>
> man xauth, he's your bestest friend..
>
> > Using SSH is one way to mitigate security concerns. Specifying only
> > localhost as the display is another good thing to do. I'm sure there
> > are other measures one can take, but security must always be weighed
> > against utility. Ultimately, there is no such thing as security, only
> > mitigation of INsecurity.
> >
> > Cheers,
> >
> > PES
> >
>
> I'm not saying he was wrong i just wanted to add to it..
> toodles.
>
> --
> MandrakeSoft http://www.mandrakesoft.com/
> --Axalon
