On Thu, Apr 25, 2002 at 12:02:59PM +0930, Greg 'groggy' Lehey wrote:
I think it would be better to just put `-nolisten tcp' in
/usr/X11R6/lib/X11/xinit/xserverrc for new installations only. Then
the system administrator could easily override it for all users; and
at least a user can
On Wednesday 24 April 2002 01:14, you wrote:
On Tuesday, 23 April 2002 at 12:06:01 +0200, Jochem Kossen wrote:
On Tuesday 23 April 2002 11:04, you wrote:
[...]
I've been noticing a continuing trend for more and more safe
configurations the default. I spent half a day recently trying
Robert Watson wrote:
On Wed, 24 Apr 2002, Greg 'groggy' Lehey wrote:
A more conservative default configuration results in a material
improvement in system security.
*snip*
By snipping here, you removed reference to the fact that this was a
general discussion of direction and
Robert Watson wrote:
On Tue, 23 Apr 2002, Terry Lambert wrote:
The reality is that reducing exposure is an important part of any security
posture.
This is an argument for security through obscurity.
If we are talking risk reduction, then we can easily achieve it
statistically
Hi,
I hate to jump into this fray, but if this is going to be a public
thread, will
everybody make the reply to the list??? :-) So far I only see Terry's
emails.
Thanks!
Andy
Terry Lambert wrote:
Robert Watson wrote:
On Tue, 23 Apr 2002, Terry Lambert wrote:
The reality is that
Robert Watson wrote:
On Wed, 24 Apr 2002, Greg 'groggy' Lehey wrote:
I think the issue is POLA. Sure, we can put in individual knobs to
twiddle, but who will do that? I thought that securelevel would have
been a suitable solution to say I want approximately *this* much
security. If
On Wed, Apr 24, 2002 at 09:06:55AM +0930, Greg 'groggy' Lehey wrote:
I think the issue here is that individuals make this kind of decision.
We need a broader consensus for this kind of change. As Jochem points
out, only 3 people were involved in the decision, all of them people
with security
Maybe it's time for new manpage (surprises, changes, etc.?) describing
just differences from some old defaults, changes in behavior etc. Probably
this manpage just gives short descriptions what may historical behavior is
changed.
UPDATING file and tuning(7) man page by Matthew Dillon which
On 2002-04-23 21:38, Robert Watson wrote:
I'm more interested in the general issue here, since you made the general
assertion that there was a problem that stretched beyond this one issue.
I'm happy to entertain the idea that we discuss this specific issue in
more detail. In particular, the
On Wednesday, 24 April 2002 at 3:16:43 -0700, Terry Lambert wrote:
The X11 we are talking about here is not the default X11, which is
a set of distfiles, but a ports X11, which is not, but which is
likely to be the basis of future distfiles.
Correct.
So we are really talking about an
On Wednesday, 24 April 2002 at 7:27:55 -0500, Jacques A. Vidrine wrote:
On Wed, Apr 24, 2002 at 09:06:55AM +0930, Greg 'groggy' Lehey wrote:
I think the issue here is that individuals make this kind of decision.
We need a broader consensus for this kind of change. As Jochem points
out, only
On Tuesday 23 April 2002 05:46, Greg 'groggy' Lehey wrote:
On Monday, 22 April 2002 at 19:53:06 -0700, Jordan Hubbard wrote:
That fix relies on the extensive PAM updates in -CURRENT however;
in -STABLE it can probably be similarly replicated via appropriate
tweaking of sshd (?).
Why
On Tuesday, 23 April 2002 at 10:09:51 +0200, Jochem Kossen wrote:
On Tuesday 23 April 2002 05:46, Greg 'groggy' Lehey wrote:
On Monday, 22 April 2002 at 19:53:06 -0700, Jordan Hubbard wrote:
That fix relies on the extensive PAM updates in -CURRENT however;
in -STABLE it can probably be
On Tue, Apr 23, 2002 at 06:34:52PM +0930, Greg 'groggy' Lehey wrote:
Well, yes. But I've been using X for 11 years. Why should I have to
read the man page to find changes? How do I know which man page to
read? If I did that for everything that happened, I wouldn't get any
work done. And
On Tue 2002-04-23 (21:13), Joerg Micheel wrote:
On Tue, Apr 23, 2002 at 06:34:52PM +0930, Greg 'groggy' Lehey wrote:
Well, yes. But I've been using X for 11 years. Why should I have to
read the man page to find changes? How do I know which man page to
read? If I did that for everything
On Tuesday 23 April 2002 11:04, you wrote:
[...]
I've been noticing a continuing trend for more and more safe
configurations the default. I spent half a day recently trying to
find why I could no longer open windows on my X display, only to
discover that somebody had turned off tcp
On Tue, Apr 23, 2002 at 11:38:26AM +0200, Neil Blakey-Milner wrote:
There are people who will tell people that still use X11 tcp sockets to
start living in the 21st century. ssh X11 forwarding still works, it's
only the (often much lower security) tcp sockets that are disabled by
default.
On Tue, 23 Apr 2002 11:38:26 +0200, Neil Blakey-Milner [EMAIL PROTECTED] wrote:
On Tue 2002-04-23 (21:13), Joerg Micheel wrote:
[..]
The system has to work right away, when installed out of the box. Period.
No when's and if's. And don't tell me that X11 is an add-on and luxury.
We are
On Tuesday 23 April 2002 11:13, you wrote:
On Tue, Apr 23, 2002 at 06:34:52PM +0930, Greg 'groggy' Lehey wrote:
Well, yes. But I've been using X for 11 years. Why should I have
to read the man page to find changes? How do I know which man page
to read? If I did that for everything that
Greg 'groggy' Lehey wrote:
I've been noticing a continuing trend for more and more safe
configurations the default. I spent half a day recently trying to
find why I could no longer open windows on my X display, only to
discover that somebody had turned off tcp connections by default.
I
Thus spake Greg 'groggy' Lehey [EMAIL PROTECTED]:
work done. And you can bet your bottom dollar that somebody coming
from another UNIX variant and trying out FreeBSD won't do so. They'll
just say that it's broken and wander off again.
I agree with this point, in general. FreeBSD shouldn't
Neil Blakey-Milner wrote:
The system has to work right away, when installed out of the box. Period.
No when's and if's. And don't tell me that X11 is an add-on and luxury.
We are living in the 21st century.
There are people who will tell people that still use X11 tcp sockets to
start
Jochem Kossen wrote:
*shrug* I was the one who sent in the patch. It was added some time
around 2001/10/26 to the XFree86-4 megaport. When the metaport was
created, the patch was incorporated too.
A simple 'man startx' should have cleared your mind:
Except for the '-listen_tcp'
Terry Lambert wrote:
Greg 'groggy' Lehey wrote:
I've been noticing a continuing trend for more and more safe
configurations the default. I spent half a day recently trying to
find why I could no longer open windows on my X display, only to
discover that somebody had turned off tcp
On Tue, Apr 23, 2002 at 01:16:46PM +0930, Greg 'groggy' Lehey wrote:
On Monday, 22 April 2002 at 19:53:06 -0700, Jordan Hubbard wrote:
That fix relies on the extensive PAM updates in -CURRENT however; in
-STABLE it can probably be similarly replicated via appropriate tweaking
of sshd (?).
On Tue, 23 Apr 2002, Frank Mayhar wrote:
Robert, it's really, really simple. For new installs, install the new,
more secure behavior. Be sure to loudly document this behavior so that
those of us who expect the _old_ behavior don't get bitten by the
change. And don't change the old
On Tuesday 23 April 2002 16:57, Frank Mayhar wrote:
Jochem Kossen wrote:
It does work. But i think you mean the tcp connections.
Does that mean you vote for enabling _all_ services? They don't
work out of the box as well...
This is ridiculous. You know as well as I do that that's _not_
Robert Watson wrote:
A more conservative default configuration results in a material
improvement in system security.
I really don't think there's any way to fully protect a
security-unconscious user, as if they had spent the time to
learn what was necessary, and chosen the right settings for
On Tue, 23 Apr 2002, Terry Lambert wrote:
Robert Watson wrote:
A more conservative default configuration results in a material
improvement in system security.
I really don't think there's any way to fully protect a
security-unconscious user, as if they had spent the time to learn what
Robert Watson wrote:
System programming is hard, let's go shopping.
This is exactly the phrase that comes to mind every time someone
yanks the plug on a service they are afraid might one day have
an exploit found for it.
Someone who's unaware or unwilling to address security issues will
In [EMAIL PROTECTED], Jochem Kossen [EMAIL PROTECTED] typed:
On Tuesday 23 April 2002 11:04, you wrote:
OK, then i suggest we mention it in the handbook, the security policy
document, the manpage AND the release notes :)
None of those are things that are on the Must read list for people
On Tue, 23 Apr 2002, Terry Lambert wrote:
Robert Watson wrote:
System programming is hard, let's go shopping.
This is exactly the phrase that comes to mind every time someone yanks
the plug on a service they are afraid might one day have an exploit
found for it.
This isn't about
On Tuesday, 23 April 2002 at 12:06:01 +0200, Jochem Kossen wrote:
On Tuesday 23 April 2002 11:04, you wrote:
[...]
I've been noticing a continuing trend for more and more safe
configurations the default. I spent half a day recently trying to
find why I could no longer open windows on my X
On Tue, 23 Apr 2002, Terry Lambert wrote:
The reality is that reducing exposure is an important part of any security
posture.
This is an argument for security through obscurity.
If we are talking risk reduction, then we can easily achieve it
statistically through obscurity. In
On Wed, 24 Apr 2002, Greg 'groggy' Lehey wrote:
A more conservative default configuration results in a material
improvement in system security.
*snip*
By snipping here, you removed reference to the fact that this was a
general discussion of direction and policy, rather than specifically
On Tuesday, 23 April 2002 at 21:38:38 -0400, Robert Watson wrote:
On Wed, 24 Apr 2002, Greg 'groggy' Lehey wrote:
A more conservative default configuration results in a material
improvement in system security.
*snip*
By snipping here, you removed reference to the fact that this was a
On Wed, 24 Apr 2002, Greg 'groggy' Lehey wrote:
I think the issue is POLA. Sure, we can put in individual knobs to
twiddle, but who will do that? I thought that securelevel would have
been a suitable solution to say I want approximately *this* much
security. If that's not the case, then
On Monday, 22 April 2002 at 19:53:06 -0700, Jordan Hubbard wrote:
That fix relies on the extensive PAM updates in -CURRENT however; in
-STABLE it can probably be similarly replicated via appropriate tweaking
of sshd (?).
Why not fix it in stable by the very simple tweaking of the
be able to use it too. I'd suggest that we do the following:
1. Give the user the choice of these additional features at
installation time. Recommend the procedures, but explain that you
need to understand the differences.
2. Document these things very well. Both this ssh
[CC list trimmed]
If memory serves me right, Greg 'groggy' Lehey wrote:
2. Document these things very well. Both this ssh change and the X
without TCP change are confusing. If three core team members were
surprised, it's going to surprise the end user a whole lot more.
The SSH
40 matches
Mail list logo