[Gllug] Re: Secure Internet Access Linux Box

Mark Preston mark at markpreston.co.uk
Fri Jun 21 20:55:24 UTC 2002 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Kim,
Thanks for the reply Kim, and for putting my contribution about X windows in 
perspective. It also makes my previous alcohol powered discussion clearer to 
me now than it was at the time. I agree that 3 pints of real ale is not  the 
answer fixing X windows security issues, but as a short term palliative to a 
sore head following a GLLUG meeting it's one of the best remedies I know. 
Casual observation leads me to believe I'm not the only one who uses this 
regimen!
Cheers,
 Mark Preston
www.markpreston.co.uk

Kim Hawtin wrote on 
Fri, 21 Jun 2002 08:09:25 +0100:-
the issues with X windows that you are refering to are about
Authentication and Authorisation. not "security" over the wire as
such. and no "tunneling" it over ssh is not the answer.

> I was with Frank Sutton 
> and Anthony Shaper in the Green Man pub at the time. The topic was making 
my 
> head hurt, 

talking to MBM at the best of times makes my head hurt too...

> but after the third pint of beer I felt a bit better. To be really 
> secure would it not be better to run everything through a "hardware" 
firewall 
> such as IPCop or Smoothwall?

this is not the answer to fixing X windows.

> Notwithstanding what I have just written above, I would think that running 
> say Mandrake 8.2 secure which doesn't allow root to run X woud be pretty 
> secure for most purposes, and it also allows normal users to run X. Even 
> running any type of Linux is likely to be less susceptible to viruses than 
an 
> IE/Windows set-up I would think.

if you have ports open to the world that you use for authentication
and authorisation then you are open to more attacks than just DoS.

the X windows "problem" is about how the overall model works, it
treats other machines on the network as trusted.

remember this was designed at about the same time as rsh and rlogin
was ... and now we have replaces these two with ssh.

the chunks of X windows that are vulnerable are using the same kind
of thinking that rsh does, and would take some serious effort to
bring it up to the same level as ssh...

kim
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9E5LEfivV/DViI8cRAjrMAKCuZIbyTTCn3e4UOP2X3UAnDn4uaQCeKeUw
mR03Qfi3TlhvjEB4XUQGDHw=
=aWlf
-----END PGP SIGNATURE-----


-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug

More information about the GLLUG mailing list