[vox-tech] xhost+: Why you should NEVER DO THAT
Jeff Newmiller
jdnewmil at dcn.davis.ca.us
Fri Mar 18 08:22:02 PST 2005
On Fri, 18 Mar 2005, Peter Jay Salzman wrote:
> On Fri 18 Mar 05, 2:18 AM, Karsten M. Self <kmself at ix.netcom.com> said:
> > Mark Kim apparently insists on dispersing bad advice regarding use of
> > xhost + to allow remote X11 access.
[detailed argument against this elided]
> If my firewall blocks tcp/udp ports 6000-6007, can you tell me how my x11
> events can be captured by someone other than my lovely wife and cat?
My $0.02:
a) Good security practices should be a matter of habit... you never know
when your outer defenses have been compromised. I know, this is like
backing up regularly... most of us don't, but that doesn't change the
value of the advice.
b) Ssh is recommended over telnet, too... but this "recommendation" is
just shorthand... really, sshd is recommended over telnetd... telnet is
still useful for troubleshooting other protocols, but for actually logging
into another machine ssh is better in every way, so why risk telnetd? [1]
The xhost argument is similar... why get into the habit of leaving your X
server open to abuse when better alternatives exist?
c) For running programs like ethereal that need both superuser and X, I
use sudo locally, since I don't have to use the superuser password.
---
[1] Last time I ran telnetd was on an embedded system that was too short
on RAM to run sshd... but obviously this device had to remain inside a
firewall, so its utility was limited, and such situations should be
eradicated wherever possible. I am dismayed that commodity routers
keep coming with telnetd as an option, since this is a hole in layered
security.
---------------------------------------------------------------------------
Jeff Newmiller The ..... ..... Go Live...
DCN:<jdnewmil at dcn.davis.ca.us> Basics: ##.#. ##.#. Live Go...
Live: OO#.. Dead: OO#.. Playing
Research Engineer (Solar/Batteries O.O#. #.O#. with
/Software/Embedded Controllers) .OO#. .OO#. rocks...1k
---------------------------------------------------------------------------
More information about the vox-tech
mailing list