* David Krider (david@davidkrider.com) [030429 05:46]:
> Vineet Kumar wrote:
>
> >Debian's default X config is protecting you from yourself. There are
> >many, many better ways of redisplaying local apps.
>
> The problem isn't a lack of understand what options are available to me
> to securely run X apps as root, it's a problem of knowing how Debian is
> configured to work out of the box. I just wanted to know where the
> configuration snag was that prevented me from doing what I was trying to do.
In case you haven't found it yet, the answer to "how do I enable my X
server to accept inbound tcp connections?" is "remove the '-nolisten
tcp'" from /etc/X11/xinit/xserverrc". The answer to "how do I display
ths X11 app locally as root" is still not "enable your X server to
accept inbound tcp connections, though.
This question happens to be a FAQ, which is "FA" by newbies wondering
how to be able to run local applications as root. I maintain that the
right answer to that question doesn't go near "make your X server listen
for tcp connections on the network".
> I think you're being a bit over-zealous about the security aspects here.
> *Most* people are going to be doing these things behind a firewall, as I
> am. Unless there are some really crazy firewall admins out there who are
> forwarding connections on port 6000, then you only need fear internal
> "crackers." And, as I've always said, if you fear the people you share a
> collision domain with, you've got bigger problems than computer hacking.
Many times the people asking these questions *are* the admins (firewall
and otherwise). More often, they're asking how to do something they've
never done before, and will learn as a habit, without considering "well,
this is okay to do on my trusted network, but maybe not when I plug my
laptop into someone else's network, or over the Internet, etc."
A more appropriate way is to learn the less-complicated and more-secure
way, and learn that as habit.
I agree that you've got bigger problems if you don't trust the people on
your network. There are various levels of trust. Where you draw your
lines is up to you. I guess in your case sending cleartext passwords to
the copper is on this side of the line. Personally, I think using
ssh/ssl wherever possible is a huge gain at very little cost. Also, if
your take on security is to just trust the firewall, you're just waiting
for trouble. Security is like an ogre. I mean like an onion.
("layers." See _Shrek_.) One company I did some work for for had a
workstation on the local network cracked, and it was at least 4
months until it was discovered. Of course, I did change all my
passwords, but my fear of any of my important passwords having been
compromised was very low; not so for anyone who just trusted the
firewall.
I do appreciate that your own assessment for what's appropriate on your
systems on your network is what counts, and if you want to use xhost,
you're free to do so. You're also free to send root passwords via
telnet and/or rsh and use rhosts authentication. I just don't
understand why you'd want to.
good times,
Vineet
--
http://www.doorstop.net/
--
http://www.xenu.net Scientology
Attachment:
pgpa2AC9vJB9s.pgp
Description: PGP signature