On Wednesday 24 April 2002 01:14, you wrote: > On Tuesday, 23 April 2002 at 12:06:01 +0200, Jochem Kossen wrote: > > On Tuesday 23 April 2002 11:04, you wrote: > > [...] > > > >>>> I've been noticing a continuing trend for more and more "safe" > >>>> configurations the default. I spent half a day recently trying > >>>> to find why I could no longer open windows on my X display, only > >>>> to discover that somebody had turned off tcp connections by > >>>> default. > >>> > >>> *shrug* I was the one who sent in the patch. It was added some > >>> time around 2001/10/26 to the XFree86-4 megaport. When the > >>> metaport was created, the patch was incorporated too. > >>> > >>> A simple 'man startx' should have cleared your mind: > >> > >> Well, yes. But I've been using X for 11 years. Why should I have > >> to read the man page to find changes? > > > > Because things evolve? :) > > Not a good reason. If they evolve, the evolution should be more > clearly documented.
Yep, I agree. It was a mistake to not document it further, so let's solve that problem. > >> How do I know which man page to read? > > > > You start X with startx, seems obvious to me. The disabling of tcp > > connections only applies to startx > > I don't stay with startx. Next I go to xinit, then to Xwrapper, then > to X. All of these work fine. When I try to start an xterm, nothing > happens. So I read the haystack of man pages for all these programs > looking for a possible needle? That's 4314 lines of man pages > (Xwrapper doesn't have a man page, so Murphy says that it's probably > in Xwrapper). Based on prior experience, startx would be the last > place I would look. In fact, I suspected a networking problem. Hmm...yes, you're right about this! > >> If I did that for everything that happened, I wouldn't get any > >> work done. And you can bet your bottom dollar that somebody > >> coming from another UNIX variant and trying out FreeBSD won't do > >> so. > > > > OK, then i suggest we mention it in the handbook, the security > > policy document, the manpage AND the release notes :) > > You've heard my suggestions. Yes, and I still like number 1 best (document it clearly) > >> They'll just say that it's broken and wander off again. > > I note you don't comment on this one. OK, hereby I do: You're talking about users coming from a different UNIX OS. I think it's reasonable for those users to expect differences in a different system. Things like this are normal between different operating systems in my opinion. That it should be documented far better, I agree (but i already said that 1000 times now I believe) I think the issue is mostly an annoying thing for users which already have been using FreeBSD for a while. Suddenly something changes, and stuff doesn't work anymore the way it used to do, just like with you. > >>> In the case of the X patch, i'd add it to the release notes AND > >>> the security policy document, since - i think - few people will > >>> look in the security policy document for such a problem. > >> > >> I think it shouldn't happen at all unless people agree to it. > > > > 3 people did, 0 people did not...read below > > So only 3 people use X? Get real. You just haven't heard any > objections up to now. I found out about this several weeks ago, but > I didn't complain because I was expecting replies with the > perspective you're showing. So what? You avoided the discussion? Apparently quite a few people agree with you. IMHO if people want things to change for the better, people need to speak up. Wether they are wrong or right doesn't really matter. Discussions are a good way to come to a reasonable conclusion/solution. > >>> I do have to say you're the first one I see who complains about > >>> this... > >> > >> Maybe the others have given up. > > > > LOL > > THIS IS NO LAUGHING MATTER. It's this kind of change which is going > to stop people from using FreeBSD. If this kind of thing happens too often(yeah yeah, "once is already too often"), then yes, you're right i guess. > >> But since we're on the subject, why? What's so insecure about X > >> TCP connections? Until you explicitly allow connections, the only > >> system that can open the server is the local system. > > > > For the simple reason I don't like useless open ports on my system. > > I don't use it, _most_ other people don't use it, so i sent in a > > patch. > Fine, I'm not telling you how to run your system. I don't want you > telling me how to run my network. I didn't, and I don't. I changed a default which seemed wrong to me. But let's say you don't like something about FreeBSD, and you make a change. You like the result. You show it to others, who also like the result. What would you do when you think it really is an improvement? send it in, or keep it to yourself? > I note that you still haven't given a good technical reason for it. 1) Other people in the thread have done so (X11 over ssh should be encouraged among other things...) 2) Why would every change have to have a technical reason? I made this patch for security reasons. Security is not only a process of solving problems. It's _mostly_ a process of taking precautions and solving problems BEFORE they occur. IMHO I took a precaution here, which is a good enough reason to me. When i sent in the patch, I didn't have a good _technical_ reason, unless you consider security precautions itself as a technical reason. > > Of course, it was only discussed on the ports@ mailinglist, but it > > didn't seem like such a big deal to me or apparently the others... > > That doesn't help end users. We have a user community out there. True, thus we need to do something about it. So here are a few concrete suggestions, also mentioned by others in the thread: - startx is just a normal shellscript. It could display a message like this whenever you start it without the -listen_tcp option: *** WARNING *** startx has been defaulted to disable TCP connections for security reasons. If you require this, use 'startx -listen_tcp' *************** - Put a message like that in pkg-message - Add an environment variable like "X11TCP" which can be set to YES or NO (I don't like the name "X11TCP" for this, anyone got a better suggestion?) - Document it everywhere reasonable. Someone (I think Robert Watson) mentioned "ports release notes" which sounds like a good thing to me for things like this. Of course, this would only help for one release, since at the next release it won't be in there anymore. Perhaps deciding where to document it needs another -small- discussion on doc@ I'd like your response to the suggestions here...IMHO we should do these all. If it's ok with you and others who read this message, I'll open a PR on ports@ with a revised patch to startx with the pkg-message, the warning when startx starts and startx which looks for the environment variable. If someone else wants to do it, or has better suggestions, please do and let me/us know. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
