Am 16.07.2008 um 04:55 schrieb John Chandler:
On Jul 16, 2008, at 1:06 AM, Klaus D. Witzel wrote:
Hi John,
on Wed, 16 Jul 2008 00:48:42 +0200, you wrote:
I installed the RFB (vnc viewer/server) package on my Debian server,
to which I don't have console access. There appears to be a problem
with it, because the connection is refused.
[...]
Did you configure RFBServer to allow remote connections?
Before you saved the snapshot, did you close all connections (also
from RFBServer's connections submenue)?
Yes. The problem was more basic: root privileges are required. D-OH!
I should have known this, but while I avoid running as root as a very
ingrained policy, this makes it impossible to open a socket to the
outside
world.
I looked around for a discussion of security issues with Seaside,
and didn't
come up with much.
I am certain there are discussions of this. You should ask on the
Seaside list, too.
I don't think anyone serious runs their Seaside installation as root.
Most common is to proxy via Apache, but you can also use firewall
settings to make your Seaside port appear as port 80 to the outside
world, even though it actually is running on a non-privileged port.
Are there ways of limiting the damage a malicious
person could get a root-enabled Squeak to do? I know it's a bit more
obscure than Apache, but still.
Thanks for answering.
Again, I'm not saying running as root is a good idea, but you can
enable the VM-level file sand-boxing:
SecurityManager default disableFileAccess
which will restrict all file access to
SecurityManager default untrustedUserDirectory
Of course this only makes sense if you do not include the FFI plugin
which can call any C function in any library directly. And besides, do
not run as root.
- Bert -
_______________________________________________
Beginners mailing list
Beginners@lists.squeakfoundation.org
http://lists.squeakfoundation.org/mailman/listinfo/beginners
