Re: [vox-tech] xhost+: Why you should NEVER DO THAT
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [vox-tech] xhost+: Why you should NEVER DO THAT
I really wanted to get off of this topic but I will defend myself. Did
anyone read my original post?:
[snip]
> $xhost +
>
> *but* this will work only if your local computer is connected directly to
> the Internet.
>
> The better way is to use ssh with the -X option to connect to the remote
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> computer in the first place. Not only does ssh setup the X forwarding for
> you automatically (not need to do "export blah blah" or "xhost blah blah"
> or be concerned about not being connected directly to the Internet), but
> your connection will be secure.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[snip]
The reason I mentioned xhost is because that's the direction John was
headed in his original attempted solution. Then I mentioned ssh because
it is what he *should* use. Perhaps I should have emphasized security
more, but I resent the notion that I gave a bad advice.
Since we discussed this topic to death I'd like to ask that this thread be
stopped at this point.
-Mark
On Mon, 21 Mar 2005, Dmitriy wrote:
> On Friday 18 March 2005 02:18, Karsten M. Self wrote:
> > Mark Kim apparently insists on dispersing bad advice regarding use of
> > xhost + to allow remote X11 access.
> >
>
> I agree that it's a bad advice.
>
> When user needs that advice, he likely doesn't know intricacies of X enough to
> know which situations are acceptable to use "xhost +" in, and and which ones
> are not.
>
> User will probably end up thinking "x access problems? == xhot +!".
>
> And this applies to other technical answers too. While it might be easier to
> say "oh just do it in the insecure way, you are safe in your circumstances",
> user will likely remember solution, and possibly offer it as advice to
> someone else without full understanding of security implications.
>
> Or perhaps someone else searching archives and thinking his problem might be
> similar. He tries "xhost +", and voila, it worked. Except he was sitting in a
> university lab with open xports. Boo.
>
> Again, both of this scenarios are very undesirable. So please avoid advice
> that can very easily be harmful to people. Remember that there are archives
> that show up on google, and different people are likely to have slightly
> different circumstance, and not everyone is fully aware of security
> implications. (And even if next email explains alternatives and implications,
> user who has a problem is not going to bother reading it all, 95% of the
> time. Trust me)
>
> --
> Dmitriy - LUGOD VP
> _______________________________________________
> vox-tech mailing list
> vox-tech@lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech
>
--
Mark K. Kim
AIM: markus kimius
Homepage: http://www.cbreak.org/
Xanga: http://www.xanga.com/vindaci
Friendster: http://www.friendster.com/user.php?uid=13046
PGP key fingerprint: 7324 BACA 53AD E504 A76E 5167 6822 94F0 F298 5DCE
PGP key available on the homepage
_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech
|
