RE: wdm & security
> startx -- -nolisten tcp Obviously this would do the trick, but see below as to why it is not a good option. > only as part of the perennially-discussed task-harden. Doesn't even > effect remote xsessions, as you should be using ssh to tunnel your > sessions anyway. There is no way of ssh tunneling remote x sessions, when my remote terminal is a dummy tektronic x terminal. When in switched internal network (that is, there is a firewall between the switch and the internet), the need to tunnel is minimal - unless my switch and firewall are compromised - if not non-existent. -- --- | Juha Jäykkä, [EMAIL PROTECTED]| | home: http://www.utu.fi/~juolja/ | ---
RE: wdm & security
> startx -- -nolisten tcp Obviously this would do the trick, but see below as to why it is not a good option. > only as part of the perennially-discussed task-harden. Doesn't even > effect remote xsessions, as you should be using ssh to tunnel your > sessions anyway. There is no way of ssh tunneling remote x sessions, when my remote terminal is a dummy tektronic x terminal. When in switched internal network (that is, there is a firewall between the switch and the internet), the need to tunnel is minimal - unless my switch and firewall are compromised - if not non-existent. -- --- | Juha Jäykkä, [EMAIL PROTECTED]| | home: http://www.utu.fi/~juolja/ | --- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: wdm & security
On Thu, 24 May 2001, Noah L. Meyerhans wrote: > Interestingly enough, a quick find/grep traversal of the wdm source > indicates that the only code for setting up network listeners comes > directly from the xdm sources without modification at all. That implies > to me that the listener on port 32768 should be as safe as the standard > xdm listener on port 6000. But I still don't see why it's there. > > > this. Should I trash wdm or what? It's a little sad thing to do since > > it allows me to choose a window manager at login time, something xdm > > does not do (at least didn't last time I checked). > > I would not trash wdm just yet. Let me take a look. If you're > concerned, you might want to firewall that port using ipchains or > iptables. I'm running an local-modified wdm-version here. (Mostly removed the choosers on the start as they confuse my DAUs and use an quite changed wmanager-chooser afterwards. I also switched of the code in xdm for opening this port in source. (There might also be a config-option for it, but I did not found it). As I overlooked the code very quickly, it seems olny nessecary for x-sessions on other computers, which is very rarly used nowadays and nowhere in the local environment here. Some config-option with debconf-question would be cool to have, when someone make the week last 20 days I might send a patch, but univerity uses all my time currently. Hochachtungsvoll, Bernhard R. Link
Re: wdm & security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Friday 25 May 2001 10:00 am, John Galt wrote: > On Fri, 25 May 2001, Steve wrote: > >"Ed" == Ed Street <[EMAIL PROTECTED]> writes: > >> Hello, If memory serves me correctly there's a line in /etc/X11 that > >> you can add/modify to tell it to NOT lissen. > > > > startx -- -nolisten tcp > > > >will have the effect. However, there doesn't seem to be a global > >setting that will enforce it system-wide, short of aliasing startx to > >that command. There is at least if you use a display manager: edit /etc/X11/*dm/Xservers and add "-nolisten tcp" to the end of the relevant line if it isn't there already. AFAIK you can do it for all servers in /etc/X11/xinit/xserverrc, but as has been said, it should be there by default. - -- Chris Boyle - Winchester College - http://archives.wincoll.ac.uk/ For my PGP key visit: http://archives.wincoll.ac.uk/finger.php?q=chrisb -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7DirFD834tscfhTwRAqIBAJ95qR6yZVH8B3gQSx3Dluog++egtQCeKw4e evZdmGxe4ByrgjMciF6750k= =Eij3 -END PGP SIGNATURE-
RE: wdm & security
On Fri, 25 May 2001, Steve wrote: >"Ed" == Ed Street <[EMAIL PROTECTED]> writes: >> Hello, If memory serves me correctly there's a line in /etc/X11 that >> you can add/modify to tell it to NOT lissen. > > startx -- -nolisten tcp > >will have the effect. However, there doesn't seem to be a global >setting that will enforce it system-wide, short of aliasing startx to >that command. > >When some X11 vulnerabilities were found in this area last year, the >reporter suggested that desktop installs of X11 systems should enable >this option as default. This would be nice to see added to debian, if >only as part of the perennially-discussed task-harden. Doesn't even >effect remote xsessions, as you should be using ssh to tunnel your >sessions anyway. You don't read the debconf warnings much, do you? xserver-* has been warning potential installers that it doesn't listen on TCP for about a year now if memory serves... >Steve > > >-- >To UNSUBSCRIBE, email to [EMAIL PROTECTED] >with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- You have paid nothing for the preceding, therefore it's worth every penny you've paid for it: if you did pay for it, might I remind you of the immortal words of Phineas Taylor Barnum regarding fools and money? Who is John Galt? [EMAIL PROTECTED], that's who!
RE: wdm & security
"Ed" == Ed Street <[EMAIL PROTECTED]> writes: > Hello, If memory serves me correctly there's a line in /etc/X11 that > you can add/modify to tell it to NOT lissen. startx -- -nolisten tcp will have the effect. However, there doesn't seem to be a global setting that will enforce it system-wide, short of aliasing startx to that command. When some X11 vulnerabilities were found in this area last year, the reporter suggested that desktop installs of X11 systems should enable this option as default. This would be nice to see added to debian, if only as part of the perennially-discussed task-harden. Doesn't even effect remote xsessions, as you should be using ssh to tunnel your sessions anyway. Steve
Re: wdm & security
> I would not trash wdm just yet. Let me take a look. If you're > concerned, you might want to firewall that port using ipchains or > iptables. No problem - I am currently behind an ipchains firewall, but it's about to change and I just wanted to know if something breaks if I ipchain/table the port off the network or if it's secure enough to remain - or even if it (the listener, not whole wdm) can be turned off without breaking anything. You take your time looking into it and I'll see what you come up with. Thanks. -- --- | Juha Jäykkä, [EMAIL PROTECTED]| | home: http://www.utu.fi/~juolja/ | ---
Re: wdm & security
On Thu, 24 May 2001, Noah L. Meyerhans wrote: > Interestingly enough, a quick find/grep traversal of the wdm source > indicates that the only code for setting up network listeners comes > directly from the xdm sources without modification at all. That implies > to me that the listener on port 32768 should be as safe as the standard > xdm listener on port 6000. But I still don't see why it's there. > > > this. Should I trash wdm or what? It's a little sad thing to do since > > it allows me to choose a window manager at login time, something xdm > > does not do (at least didn't last time I checked). > > I would not trash wdm just yet. Let me take a look. If you're > concerned, you might want to firewall that port using ipchains or > iptables. I'm running an local-modified wdm-version here. (Mostly removed the choosers on the start as they confuse my DAUs and use an quite changed wmanager-chooser afterwards. I also switched of the code in xdm for opening this port in source. (There might also be a config-option for it, but I did not found it). As I overlooked the code very quickly, it seems olny nessecary for x-sessions on other computers, which is very rarly used nowadays and nowhere in the local environment here. Some config-option with debconf-question would be cool to have, when someone make the week last 20 days I might send a patch, but univerity uses all my time currently. Hochachtungsvoll, Bernhard R. Link -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: wdm & security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Friday 25 May 2001 10:00 am, John Galt wrote: > On Fri, 25 May 2001, Steve wrote: > >"Ed" == Ed Street <[EMAIL PROTECTED]> writes: > >> Hello, If memory serves me correctly there's a line in /etc/X11 that > >> you can add/modify to tell it to NOT lissen. > > > > startx -- -nolisten tcp > > > >will have the effect. However, there doesn't seem to be a global > >setting that will enforce it system-wide, short of aliasing startx to > >that command. There is at least if you use a display manager: edit /etc/X11/*dm/Xservers and add "-nolisten tcp" to the end of the relevant line if it isn't there already. AFAIK you can do it for all servers in /etc/X11/xinit/xserverrc, but as has been said, it should be there by default. - -- Chris Boyle - Winchester College - http://archives.wincoll.ac.uk/ For my PGP key visit: http://archives.wincoll.ac.uk/finger.php?q=chrisb -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7DirFD834tscfhTwRAqIBAJ95qR6yZVH8B3gQSx3Dluog++egtQCeKw4e evZdmGxe4ByrgjMciF6750k= =Eij3 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: wdm & security
On Fri, 25 May 2001, Steve wrote: >"Ed" == Ed Street <[EMAIL PROTECTED]> writes: >> Hello, If memory serves me correctly there's a line in /etc/X11 that >> you can add/modify to tell it to NOT lissen. > > startx -- -nolisten tcp > >will have the effect. However, there doesn't seem to be a global >setting that will enforce it system-wide, short of aliasing startx to >that command. > >When some X11 vulnerabilities were found in this area last year, the >reporter suggested that desktop installs of X11 systems should enable >this option as default. This would be nice to see added to debian, if >only as part of the perennially-discussed task-harden. Doesn't even >effect remote xsessions, as you should be using ssh to tunnel your >sessions anyway. You don't read the debconf warnings much, do you? xserver-* has been warning potential installers that it doesn't listen on TCP for about a year now if memory serves... >Steve > > >-- >To UNSUBSCRIBE, email to [EMAIL PROTECTED] >with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- You have paid nothing for the preceding, therefore it's worth every penny you've paid for it: if you did pay for it, might I remind you of the immortal words of Phineas Taylor Barnum regarding fools and money? Who is John Galt? [EMAIL PROTECTED], that's who! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: wdm & security
"Ed" == Ed Street <[EMAIL PROTECTED]> writes: > Hello, If memory serves me correctly there's a line in /etc/X11 that > you can add/modify to tell it to NOT lissen. startx -- -nolisten tcp will have the effect. However, there doesn't seem to be a global setting that will enforce it system-wide, short of aliasing startx to that command. When some X11 vulnerabilities were found in this area last year, the reporter suggested that desktop installs of X11 systems should enable this option as default. This would be nice to see added to debian, if only as part of the perennially-discussed task-harden. Doesn't even effect remote xsessions, as you should be using ssh to tunnel your sessions anyway. Steve -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: wdm & security
> I would not trash wdm just yet. Let me take a look. If you're > concerned, you might want to firewall that port using ipchains or > iptables. No problem - I am currently behind an ipchains firewall, but it's about to change and I just wanted to know if something breaks if I ipchain/table the port off the network or if it's secure enough to remain - or even if it (the listener, not whole wdm) can be turned off without breaking anything. You take your time looking into it and I'll see what you come up with. Thanks. -- --- | Juha Jäykkä, [EMAIL PROTECTED]| | home: http://www.utu.fi/~juolja/ | --- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: wdm & security
Hello, If memory serves me correctly there's a line in /etc/X11 that you can add/modify to tell it to NOT lissen. Ed -Original Message- From: Noah L. Meyerhans [mailto:[EMAIL PROTECTED] Sent: Thursday, May 24, 2001 10:47 AM To: Debian Security List Subject: Re: wdm & security On Thu, May 24, 2001 at 01:53:46PM +0300, Juha Jäykkä wrote: > I am a little concerned about XFree86+wdm keeping a bunch of > processes listening on port 32768. (wdm is the windowmaker xdm Hi. I am the wdm maintainer for Debian. I haven't been maintaining this package for too long, and I'm not sure why it listens on port 32768. I am going to look in to it, because it doesn't seem necessary to me. If I find that it is something that can safely be turned off (or if it's a bug) I will fix it for the next upload. Interestingly enough, a quick find/grep traversal of the wdm source indicates that the only code for setting up network listeners comes directly from the xdm sources without modification at all. That implies to me that the listener on port 32768 should be as safe as the standard xdm listener on port 6000. But I still don't see why it's there. > this. Should I trash wdm or what? It's a little sad thing to do since > it allows me to choose a window manager at login time, something xdm > does not do (at least didn't last time I checked). I would not trash wdm just yet. Let me take a look. If you're concerned, you might want to firewall that port using ipchains or iptables. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html
Re: wdm & security
On Thu, May 24, 2001 at 01:53:46PM +0300, Juha Jäykkä wrote: > I am a little concerned about XFree86+wdm keeping a bunch of > processes listening on port 32768. (wdm is the windowmaker xdm Hi. I am the wdm maintainer for Debian. I haven't been maintaining this package for too long, and I'm not sure why it listens on port 32768. I am going to look in to it, because it doesn't seem necessary to me. If I find that it is something that can safely be turned off (or if it's a bug) I will fix it for the next upload. Interestingly enough, a quick find/grep traversal of the wdm source indicates that the only code for setting up network listeners comes directly from the xdm sources without modification at all. That implies to me that the listener on port 32768 should be as safe as the standard xdm listener on port 6000. But I still don't see why it's there. > this. Should I trash wdm or what? It's a little sad thing to do since > it allows me to choose a window manager at login time, something xdm > does not do (at least didn't last time I checked). I would not trash wdm just yet. Let me take a look. If you're concerned, you might want to firewall that port using ipchains or iptables. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpw8KG2aN0EM.pgp Description: PGP signature
RE: wdm & security
Hello, If memory serves me correctly there's a line in /etc/X11 that you can add/modify to tell it to NOT lissen. Ed -Original Message- From: Noah L. Meyerhans [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 24, 2001 10:47 AM To: Debian Security List Subject: Re: wdm & security On Thu, May 24, 2001 at 01:53:46PM +0300, Juha Jäykkä wrote: > I am a little concerned about XFree86+wdm keeping a bunch of > processes listening on port 32768. (wdm is the windowmaker xdm Hi. I am the wdm maintainer for Debian. I haven't been maintaining this package for too long, and I'm not sure why it listens on port 32768. I am going to look in to it, because it doesn't seem necessary to me. If I find that it is something that can safely be turned off (or if it's a bug) I will fix it for the next upload. Interestingly enough, a quick find/grep traversal of the wdm source indicates that the only code for setting up network listeners comes directly from the xdm sources without modification at all. That implies to me that the listener on port 32768 should be as safe as the standard xdm listener on port 6000. But I still don't see why it's there. > this. Should I trash wdm or what? It's a little sad thing to do since > it allows me to choose a window manager at login time, something xdm > does not do (at least didn't last time I checked). I would not trash wdm just yet. Let me take a look. If you're concerned, you might want to firewall that port using ipchains or iptables. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: wdm & security
On Thu, May 24, 2001 at 01:53:46PM +0300, Juha Jäykkä wrote: > I am a little concerned about XFree86+wdm keeping a bunch of > processes listening on port 32768. (wdm is the windowmaker xdm Hi. I am the wdm maintainer for Debian. I haven't been maintaining this package for too long, and I'm not sure why it listens on port 32768. I am going to look in to it, because it doesn't seem necessary to me. If I find that it is something that can safely be turned off (or if it's a bug) I will fix it for the next upload. Interestingly enough, a quick find/grep traversal of the wdm source indicates that the only code for setting up network listeners comes directly from the xdm sources without modification at all. That implies to me that the listener on port 32768 should be as safe as the standard xdm listener on port 6000. But I still don't see why it's there. > this. Should I trash wdm or what? It's a little sad thing to do since > it allows me to choose a window manager at login time, something xdm > does not do (at least didn't last time I checked). I would not trash wdm just yet. Let me take a look. If you're concerned, you might want to firewall that port using ipchains or iptables. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html PGP signature