l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
April 21: Google Glass
Next Installfest:
TBD
Latest News:
Mar. 18: Google Glass at LUGOD's April meeting
Page last updated:
2005 Mar 18 08:42

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] xhost+: Why you should NEVER DO THAT
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] xhost+: Why you should NEVER DO THAT



On Fri, 18 Mar 2005, Peter Jay Salzman wrote:

> On Fri 18 Mar 05,  2:18 AM, Karsten M. Self <kmself@ix.netcom.com> said:
> > Mark Kim apparently insists on dispersing bad advice regarding use of
> > xhost + to allow remote X11 access.

[detailed argument against this elided]

> If my firewall blocks tcp/udp ports 6000-6007, can you tell me how my x11
> events can be captured by someone other than my lovely wife and cat?

My $0.02:

a) Good security practices should be a matter of habit... you never know
when your outer defenses have been compromised.  I know, this is like
backing up regularly... most of us don't, but that doesn't change the
value of the advice.

b) Ssh is recommended over telnet, too... but this "recommendation" is
just shorthand... really, sshd is recommended over telnetd... telnet is
still useful for troubleshooting other protocols, but for actually logging
into another machine ssh is better in every way, so why risk telnetd? [1]
The xhost argument is similar... why get into the habit of leaving your X
server open to abuse when better alternatives exist?

c) For running programs like ethereal that need both superuser and X, I
use sudo locally, since I don't have to use the superuser password.

---

[1] Last time I ran telnetd was on an embedded system that was too short
on RAM to run sshd... but obviously this device had to remain inside a
firewall, so its utility was limited, and such situations should be
eradicated wherever possible.  I am dismayed that commodity routers
keep coming with telnetd as an option, since this is a hole in layered
security.

---------------------------------------------------------------------------
Jeff Newmiller                        The     .....       .....  Go Live...
DCN:<jdnewmil@dcn.davis.ca.us>        Basics: ##.#.       ##.#.  Live Go...
                                      Live:   OO#.. Dead: OO#..  Playing
Research Engineer (Solar/Batteries            O.O#.       #.O#.  with
/Software/Embedded Controllers)               .OO#.       .OO#.  rocks...1k
---------------------------------------------------------------------------

_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
O'Reilly and Associates
For numerous book donations.