Image of grog
Greg's security über alles
Greg's rants
Greg's home page
Greg's diary
Greg's photos
Greg's links
This is a document that I wrote on 10 April 2002. It was originally a text document. This version is for hysterical raisins.

In the last few months, I've discovered it's becoming increasingly difficult to install a system which works the way I want. Last night I spent a very frustrating half hour trying to find why I couldn't open any windows on a particular display. Finally I found the reason: without any notice, the option had been disabled. /usr/ports/x11/XFree86-4-libraries/files/patch-startx contains:

+listen_tcp="-nolisten tcp"
   while [ x"$1" != x ]; do
      case "$1" in
+    -listen_tcp)
+        listen_tcp=""
+        ;;
     # '' required to prevent cpp from treating "/*" as a C comment.
  if [ "$whoseargs" = "client" ]; then
@@ -164,7 +168,7 @@

-xinit $client $clientargs -- $server $display $serverargs
+xinit $client $clientargs -- $server $display $serverargs $listen_tcp

Yes, there's also corresponding info in the man page:

+.RB '-listen_tcp'
+option of startx enables the TCP/IP transport type which is needed for remote X
+displays.  This is disabled by default for security reasons.

I think this is missing the point. Anybody who moves to FreeBSD from another operating system will have difficulty with this. It took me 30 minutes to find; I suspect most people would just give up. After all, there's a perfectly good (well, usable) way to do this, with xinit, which is also more granular. By adding this kind of feature we're just making the system less usable.

This isn't the only thing I can't get to work. rsh stopped working a long time ago. I can't replace it with ssh, because some systems on my network are either too gutless to run ssh, or it's just not there on that platform (think AIX). This is not a security issue, since the network contains only trusted systems and is firewalled from the Internet.

Greg's home page Greg's diary Greg's photos Copyright

Valid XHTML 1.0!

$Id: security-ueber-alles.php,v 1.1 2018/04/15 02:34:51 grog Exp $