X11 requirements for building ports.
Recently I discovered that in order to build a port (specifically the syslog-ng port) that my OpenBSD would need to have X11 installed. Other than for this requirement I had no desire for X11 on my build of OpenBSD. When building/installing an OpenBSD system one is given the options of including several X11 components. My first question is, if one is installing X11 purely to facilitate the building of ports. What are the minimum X11 components one is required to install? The second question I would like to ask is how far off would a full blown X11 system be from this minimum? Finally, security wise, to what extent does the installing X11 weaken security or make the system more vulnerable to attack? Thanking you in anticipation. Regards Richard
Re: X11 requirements for building ports.
On Sun, Apr 08, 2012 at 10:51:43PM +0100, Richard Brooks wrote: Recently I discovered that in order to build a port (specifically the syslog-ng port) that my OpenBSD would need to have X11 installed. Other than for this requirement I had no desire for X11 on my build of OpenBSD. When building/installing an OpenBSD system one is given the options of including several X11 components. My first question is, if one is installing X11 purely to facilitate the building of ports. What are the minimum X11 components one is required to install? The second question I would like to ask is how far off would a full blown X11 system be from this minimum? Finally, security wise, to what extent does the installing X11 weaken security or make the system more vulnerable to attack? Thanking you in anticipation. Regards Richard Needing X components is common for ports building. I am not sure if X is needed for running syslog-ng, but unless you are customizing or updating syslog-ng, why would you want to build it? It is readily available for both -current and earlier versions as a pre-built package. Chris Bennett
Re: X11 requirements for building ports.
On Sun, Apr 08, 2012, Richard Brooks wrote: Recently I discovered that in order to build a port (specifically the syslog-ng port) that my OpenBSD would need to have X11 installed. Other than for this requirement I had no desire for X11 on my build of OpenBSD. Did you try the package? A quick glance at the requirements doesn't look like it requires X. My first question is, if one is installing X11 purely to facilitate the building of ports. What are the minimum X11 components one is required to install? The canonical answer is http://www.openbsd.org/faq/faq4.html#FilesNeeded. Finally, security wise, to what extent does the installing X11 weaken security or make the system more vulnerable to attack? That's also addressed in the above, but I can give you specifics. xbase contains two sgid programs, xterm and xlock. xserv contains the only suid root program, Xorg. If you're super concerned, you can strip the s bits.
Re: X11 requirements for building ports.
On 2012/04/08 22:51, Richard Brooks wrote: Recently I discovered that in order to build a port (specifically the syslog-ng port) that my OpenBSD would need to have X11 installed. Other than for this requirement I had no desire for X11 on my build of OpenBSD. When building/installing an OpenBSD system one is given the options of including several X11 components. My first question is, if one is installing X11 purely to facilitate the building of ports. What are the minimum X11 components one is required to install? Typically you won't need more than xbase (libs and most binaries) and xshare (headers etc) to build ports. The second question I would like to ask is how far off would a full blown X11 system be from this minimum? size-wise? ~65MB of gzipped files (fonts, servers, config files). Finally, security wise, to what extent does the installing X11 weaken security or make the system more vulnerable to attack? Xorg binary installed setuid root, note that this is a privilege-separated process on OpenBSD and most of the code runs as an unprivileged user. Also see xf86(4) about the aperture driver if you're actually going to be running X. Xlock binary installed setgid auth. xterm binary installed setgid utmp. You could always mount /usr/X11R6 nosuid if you aren't going to actually run X11. Some ports which require X to build don't actually need it to run, so depending on what you're after, installing packages might avoid the need to install X. However a lot of non-GUI software does depend on things that are provided with X (notably, fontconfig). Thanking you in anticipation. Regards Richard
Re: X11 requirements for building ports.
On 08/04/12 6:25 PM, Stuart Henderson wrote: However a lot of non-GUI software does depend on things that are provided with X (notably, fontconfig). as well as freetype. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: X11 requirements for building ports.
Recently I discovered that in order to build a port (specifically the syslog-ng port) that my OpenBSD would need to have X11 installed. Other than for this requirement I had no desire for X11 on my build of OpenBSD. Installing X is the default at install time. If you choose not to follow the defaults, you are on your own. Using cash and credit cards in our modern societies. If you choose not to follow these norms, you are on your own. Leaving people you don't like alive is the norm in our societies. Vary from this, and you are on your own. When building/installing an OpenBSD system one is given the options of including several X11 components. Wrong. When installing OpenBSD you are given a default that installs X. If you choose to not install X, you are the one that has deviated from the default. You want to be special and make a decision? 95% or more of OpenBSD people do not choose to be different. Do you understand why you are in a different space than 95% of other people? Never seen your email address before. You understand we cannot satisfy everyone, especially those we've never heard of before they complain about I made too many custom choices, now I am in trouble. My first question is, if one is installing X11 purely to facilitate the building of ports. What are the minimum X11 components one is required to install? The default is to keep people. Once in a while people choose to be different, and suffer the consequences. If you want to live in an X free world, go back to 1980. The second question I would like to ask is how far off would a full blown X11 system be from this minimum? Cutting X into parts. How much of you is required to post to email? Probably most. Finally, security wise, to what extent does the installing X11 weaken security or make the system more vulnerable to attack? Who knows. We try our best to make it the best. Do you try your best to help us? I doubt it. So we try the best we can without people like you helping us. That answer your question?
Re: X11 requirements for building ports.
That's also addressed in the above, but I can give you specifics. xbase contains two sgid programs, xterm and xlock. xserv contains the only suid root program, Xorg. If you're super concerned, you can strip the s bits. Never strip the s bits from a piece of code. A lot of s bit software contains assumptions that it has the s bit. It was never tested another way. You might not get a hole, but you will get ridiculously bad behaviour. Maybe it will spin. Maybe it will find some way of crashing your machine. If you decide you should use chmod, another command called rm is not far away. Of course, if you don't run OpenBSD in the default configuration, noone will help you. If you want to help yourself, help us find people who will help make it better so that you don't need to make such choices. Or, run something else. Sounds nasty? World is nasty. Sorry.