Sponsored link
Vyatta –
Linux & Open Source
Alternative to Cisco –
Advanced Routing,
Firewall, VPN, QoS..
Free Download ->
| |||||||||||
Rate of bugs and rate of security holes are mostly uncorrelatedRate of bugs and rate of security holes are mostly uncorrelatedPosted Mar 6, 2006 19:49 UTC (Mon) by Ross (subscriber, #4065)In reply to: Rate of bugs and rate of security holes are mostly uncorrelated by nix Parent article: Coverity releases first defect survey results
I haven't seen a distribution yet which doesn't run the X server as root and have it listening on TCP port 6000 + display number. Now it is certainly possible to disable the TCP X transport (using the -notcp option when starting the server), but I don't think it is "normal".
I think the difference may be that X is much bigger than the server. The bug may simply have been in other places than the part exposed to the network. Also, the X server normally uses an authentication mechanism like MIT Magic Cookies which will limit the exposure of bugs to a very small portion of the code if the shared secret is not known to the attacker. (Assuming the cookies aren't weak and that the server throttles brute force attacks.)
(Log in to post comments)
Rate of bugs and rate of security holes are mostly uncorrelated Posted Mar 6, 2006 20:17 UTC (Mon) by nijhof (subscriber, #4034) [Link] Now it is certainly possible to disable the TCP X transport (using the -notcp option when starting the server), but I don't think it is "normal".It is certainly "normal" for Debian -- you have to take out the --nolisten tcp manually if you want it to listen to tcp traffic
Rate of bugs and rate of security holes are mostly uncorrelated Posted Mar 6, 2006 21:49 UTC (Mon) by Ross (subscriber, #4065) [Link] That's strange because I remember doing specifically on my Debian system. But obviously my memory is not infallible; I didn't even remember the option correctly. It is in the form you posted, though I just checked the man page and it is only prefixed with one hyphen.
Rate of bugs and rate of security holes are mostly uncorrelated Posted Mar 7, 2006 5:24 UTC (Tue) by mattdm (subscriber, #18) [Link] I haven't seen a distribution yet which doesn't run the X server as root and have it listening on TCP port 6000 + display number. Check out Fedora Core, then. Still runs as root (although possibly limited by SELinux), but doesn't listen on TCP by default. Now it is certainly possible to disable the TCP X transport (using the -notcp option when starting the server), but I don't think it is "normal". -nolisten tcp with X.org. Actually, I think this *is* the default in the upstream Gnome GDM, so....
Rate of bugs and rate of security holes are mostly uncorrelated Posted Mar 7, 2006 13:51 UTC (Tue) by daniels (subscriber, #16193) [Link] > I haven't seen a distribution yet which doesn't run the X server as root and have it listening on TCP port 6000 + display number.
I can't think of one off the top of my head that does listen for TCP connections by default.
Rate of bugs and rate of security holes are mostly uncorrelated Posted Mar 7, 2006 15:22 UTC (Tue) by grouch (subscriber, #27289) [Link] Do you mean '-nolisten tcp'?
From my default /etc/X11/xinit/xserverrc file on Debian:
exec /usr/bin/X11/X -dpi 100 -nolisten tcp
Rate of bugs and rate of security holes are mostly uncorrelated Posted Mar 7, 2006 18:33 UTC (Tue) by oak (guest, #2786) [Link] SUSE X servers don't listen on TCP sockets by default either.(I don't think this has been the case always, I'd guess it to have changed within last couple of years.)
Rate of bugs and rate of security holes are mostly uncorrelated Posted Mar 8, 2006 5:52 UTC (Wed) by djm (subscriber, #11651) [Link] OpenBSD isn't a "distribution", but it has privilege separated Xorg so the vast majority no longer runs as root. Disabling the TCP listener isn't so much of a win as it breaks ssh forwarding of X sessions, and because X11's authentication is pretty good (barring chumps who run "xhost +").
|
|||||||||||