On Thu, Apr 25, 2002 at 12:02:59PM +0930, Greg 'groggy' Lehey wrote:
> > I think it would be better to just put `-nolisten tcp' in
> > /usr/X11R6/lib/X11/xinit/xserverrc for new installations only. Then
> > the system administrator could easily override it for all users; and
> > at least a user c
On Wednesday, 24 April 2002 at 7:27:55 -0500, Jacques A. Vidrine wrote:
> On Wed, Apr 24, 2002 at 09:06:55AM +0930, Greg 'groggy' Lehey wrote:
>> I think the issue here is that individuals make this kind of decision.
>> We need a broader consensus for this kind of change. As Jochem points
>> out
On Wednesday, 24 April 2002 at 3:16:43 -0700, Terry Lambert wrote:
>
> The X11 we are talking about here is not "the default X11", which is
> a set of distfiles, but a "ports" X11, which is not, but which is
> likely to be the basis of future distfiles.
Correct.
> So we are really talking about
On 2002-04-23 21:38, Robert Watson wrote:
> I'm more interested in the general issue here, since you made the general
> assertion that there was a problem that stretched beyond this one issue.
> I'm happy to entertain the idea that we discuss this specific issue in
> more detail. In particular, t
Maybe it's time for new manpage (surprises, changes, etc.?) describing
just differences from some old defaults, changes in behavior etc. Probably
this manpage just gives short descriptions what may historical behavior is
changed.
UPDATING file and tuning(7) man page by Matthew Dillon which serv
On Wed, Apr 24, 2002 at 09:06:55AM +0930, Greg 'groggy' Lehey wrote:
> I think the issue here is that individuals make this kind of decision.
> We need a broader consensus for this kind of change. As Jochem points
> out, only 3 people were involved in the decision, all of them people
> with secur
Robert Watson wrote:
> On Wed, 24 Apr 2002, Greg 'groggy' Lehey wrote:
> > I think the issue is POLA. Sure, we can put in individual knobs to
> > twiddle, but who will do that? I thought that securelevel would have
> > been a suitable solution to say "I want approximately *this* much
> > securit
Hi,
I hate to jump into this fray, but if this is going to be a public
thread, will
everybody make the reply to the list??? :-) So far I only see Terry's
emails.
Thanks!
Andy
Terry Lambert wrote:
>Robert Watson wrote:
>
>>On Tue, 23 Apr 2002, Terry Lambert wrote:
>>
The reality is t
Robert Watson wrote:
> On Tue, 23 Apr 2002, Terry Lambert wrote:
> > > The reality is that reducing exposure is an important part of any security
> > > posture.
> >
> > This is an argument for security through obscurity.
> >
> > If we are talking risk reduction, then we can easily achieve it
> > s
Robert Watson wrote:
> On Wed, 24 Apr 2002, Greg 'groggy' Lehey wrote:
> > > A more conservative default configuration results in a material
> > > improvement in system security.
> >
> > *snip*
>
> By snipping here, you removed reference to the fact that this was a
> general discussion of directi
On Wednesday 24 April 2002 01:14, you wrote:
> On Tuesday, 23 April 2002 at 12:06:01 +0200, Jochem Kossen wrote:
> > On Tuesday 23 April 2002 11:04, you wrote:
> > [...]
> >
> I've been noticing a continuing trend for more and more "safe"
> configurations the default. I spent half a day
On Wed, 24 Apr 2002, Greg 'groggy' Lehey wrote:
> I think the issue is POLA. Sure, we can put in individual knobs to
> twiddle, but who will do that? I thought that securelevel would have
> been a suitable solution to say "I want approximately *this* much
> security". If that's not the case,
On Wed, 24 Apr 2002, Greg 'groggy' Lehey wrote:
> > I'm more interested in the general issue here, since you made the
> > general assertion that there was a problem that stretched beyond
> > this one issue.
>
> Well, we saw the ssh problem as well; that's more than one. We also see
> things li
On Tuesday, 23 April 2002 at 21:38:38 -0400, Robert Watson wrote:
>
> On Wed, 24 Apr 2002, Greg 'groggy' Lehey wrote:
>
>>> A more conservative default configuration results in a material
>>> improvement in system security.
>>
>> *snip*
>
> By snipping here, you removed reference to the fact that
On Wed, 24 Apr 2002, Greg 'groggy' Lehey wrote:
> > A more conservative default configuration results in a material
> > improvement in system security.
>
> *snip*
By snipping here, you removed reference to the fact that this was a
general discussion of direction and policy, rather than specifi
On Tue, 23 Apr 2002, Terry Lambert wrote:
> > The reality is that reducing exposure is an important part of any security
> > posture.
>
> This is an argument for security through obscurity.
>
> If we are talking risk reduction, then we can easily achieve it
> statistically through obscurity.
Robert Watson wrote:
> > "Securing telnet is hard; let's turn it off and go shopping". 8-).
>
> Or maybe,
>
> Few people use telnet any more, so we'll spend some time fixing it, but
> we'll also disable it by default, since many of the reports of
> compromise come from people who weren't
On Tuesday, 23 April 2002 at 11:13:42 -0400, Robert Watson wrote:
>
> On Tue, 23 Apr 2002, Greg 'groggy' Lehey wrote:
>
>> On Monday, 22 April 2002 at 19:53:06 -0700, Jordan Hubbard wrote:
That fix relies on the extensive PAM updates in -CURRENT however; in
-STABLE it can probably be sim
On Tuesday, 23 April 2002 at 12:06:01 +0200, Jochem Kossen wrote:
> On Tuesday 23 April 2002 11:04, you wrote:
> [...]
I've been noticing a continuing trend for more and more "safe"
configurations the default. I spent half a day recently trying to
find why I could no longer op
On Tue, 23 Apr 2002, Terry Lambert wrote:
> Robert Watson wrote:
> > "System programming is hard, let's go shopping".
>
> This is exactly the phrase that comes to mind every time someone yanks
> the plug on a service they are afraid might one day have an exploit
> found for it.
This isn't abo
In <[EMAIL PROTECTED]>, Jochem Kossen <[EMAIL PROTECTED]> typed:
> On Tuesday 23 April 2002 11:04, you wrote:
> OK, then i suggest we mention it in the handbook, the security policy
> document, the manpage AND the release notes :)
None of those are things that are on the "Must read" list for peo
Robert Watson wrote:
> "System programming is hard, let's go shopping".
This is exactly the phrase that comes to mind every time someone
yanks the plug on a service they are afraid might one day have
an exploit found for it.
> Someone who's unaware or unwilling to address security issues will *
On Tue, 23 Apr 2002, Terry Lambert wrote:
> Robert Watson wrote:
> > A more conservative default configuration results in a material
> > improvement in system security.
>
> I really don't think there's any way to fully protect a
> security-unconscious user, as if they had spent the time to learn
Robert Watson wrote:
> A more conservative default configuration results in a material
> improvement in system security.
I really don't think there's any way to fully protect a
security-unconscious user, as if they had spent the time to
learn what was necessary, and chosen the right settings for
On Tuesday 23 April 2002 16:57, Frank Mayhar wrote:
> Jochem Kossen wrote:
> > It does work. But i think you mean the tcp connections.
> > Does that mean you vote for enabling _all_ services? They don't
> > work out of the box as well...
>
> This is ridiculous. You know as well as I do that that'
On Tue, 23 Apr 2002, Greg 'groggy' Lehey wrote:
> On Monday, 22 April 2002 at 19:53:06 -0700, Jordan Hubbard wrote:
> >> That fix relies on the extensive PAM updates in -CURRENT however; in
> >> -STABLE it can probably be similarly replicated via appropriate tweaking
> >> of sshd (?).
> >
> > Wh
On Tue, 23 Apr 2002, Frank Mayhar wrote:
> Robert, it's really, really simple. For new installs, install the new,
> more secure behavior. Be sure to loudly document this behavior so that
> those of us who expect the _old_ behavior don't get bitten by the
> change. And don't change the old beh
On Tue, Apr 23, 2002 at 01:16:46PM +0930, Greg 'groggy' Lehey wrote:
> On Monday, 22 April 2002 at 19:53:06 -0700, Jordan Hubbard wrote:
> >> That fix relies on the extensive PAM updates in -CURRENT however; in
> >> -STABLE it can probably be similarly replicated via appropriate tweaking
> >> of s
On Tue, 23 Apr 2002, Greg 'groggy' Lehey wrote:
> On Monday, 22 April 2002 at 19:53:06 -0700, Jordan Hubbard wrote:
> >> That fix relies on the extensive PAM updates in -CURRENT however; in
> >> -STABLE it can probably be similarly replicated via appropriate tweaking
> >> of sshd (?).
> >
> > Wh
Terry Lambert wrote:
>
> Greg 'groggy' Lehey wrote:
> > I've been noticing a continuing trend for more and more "safe"
> > configurations the default. I spent half a day recently trying to
> > find why I could no longer open windows on my X display, only to
> > discover that somebody had turne
Jochem Kossen wrote:
>
> *shrug* I was the one who sent in the patch. It was added some time
> around 2001/10/26 to the XFree86-4 megaport. When the metaport was
> created, the patch was incorporated too.
>
> A simple 'man startx' should have cleared your mind:
>
>Except for the '-liste
Neil Blakey-Milner wrote:
> > The system has to work right away, when installed out of the box. Period.
> > No when's and if's. And don't tell me that X11 is an add-on and luxury.
> > We are living in the 21st century.
>
> There are people who will tell people that still use X11 tcp sockets to
>
Thus spake Greg 'groggy' Lehey <[EMAIL PROTECTED]>:
> work done. And you can bet your bottom dollar that somebody coming
> from another UNIX variant and trying out FreeBSD won't do so. They'll
> just say that it's broken and wander off again.
I agree with this point, in general. FreeBSD should
Greg 'groggy' Lehey wrote:
> I've been noticing a continuing trend for more and more "safe"
> configurations the default. I spent half a day recently trying to
> find why I could no longer open windows on my X display, only to
> discover that somebody had turned off tcp connections by default.
>
On Tue, 23 Apr 2002 11:38:26 +0200, Neil Blakey-Milner <[EMAIL PROTECTED]> wrote:
> On Tue 2002-04-23 (21:13), Joerg Micheel wrote:
[..]
> > The system has to work right away, when installed out of the box. Period.
> > No when's and if's. And don't tell me that X11 is an add-on and luxury.
> >
On Tue, Apr 23, 2002 at 11:38:26AM +0200, Neil Blakey-Milner wrote:
> There are people who will tell people that still use X11 tcp sockets to
> start living in the 21st century. ssh X11 forwarding still works, it's
> only the (often much lower security) tcp sockets that are disabled by
> default.
On Tuesday 23 April 2002 11:13, you wrote:
> On Tue, Apr 23, 2002 at 06:34:52PM +0930, Greg 'groggy' Lehey wrote:
> > Well, yes. But I've been using X for 11 years. Why should I have
> > to read the man page to find changes? How do I know which man page
> > to read? If I did that for everythin
On Tuesday 23 April 2002 11:04, you wrote:
[...]
> >>
> >> I've been noticing a continuing trend for more and more "safe"
> >> configurations the default. I spent half a day recently trying to
> >> find why I could no longer open windows on my X display, only to
> >> discover that somebody had tu
On Tue 2002-04-23 (21:13), Joerg Micheel wrote:
> On Tue, Apr 23, 2002 at 06:34:52PM +0930, Greg 'groggy' Lehey wrote:
> > Well, yes. But I've been using X for 11 years. Why should I have to
> > read the man page to find changes? How do I know which man page to
> > read? If I did that for ever
On Tue, Apr 23, 2002 at 06:34:52PM +0930, Greg 'groggy' Lehey wrote:
> Well, yes. But I've been using X for 11 years. Why should I have to
> read the man page to find changes? How do I know which man page to
> read? If I did that for everything that happened, I wouldn't get any
> work done. A
On Tuesday, 23 April 2002 at 10:09:51 +0200, Jochem Kossen wrote:
> On Tuesday 23 April 2002 05:46, Greg 'groggy' Lehey wrote:
>> On Monday, 22 April 2002 at 19:53:06 -0700, Jordan Hubbard wrote:
That fix relies on the extensive PAM updates in -CURRENT however;
in -STABLE it can probably
On Tuesday 23 April 2002 05:46, Greg 'groggy' Lehey wrote:
> On Monday, 22 April 2002 at 19:53:06 -0700, Jordan Hubbard wrote:
> >> That fix relies on the extensive PAM updates in -CURRENT however;
> >> in -STABLE it can probably be similarly replicated via appropriate
> >> tweaking of sshd (?).
>
[CC list trimmed]
If memory serves me right, "Greg 'groggy' Lehey" wrote:
> 2. Document these things very well. Both this ssh change and the X
> without TCP change are confusing. If three core team members were
> surprised, it's going to surprise the end user a whole lot more.
The SS
> be able to use it too. I'd suggest that we do the following:
>
> 1. Give the user the choice of these additional features at
> installation time. Recommend the procedures, but explain that you
> need to understand the differences.
>
> 2. Document these things very well. Both this
On Monday, 22 April 2002 at 19:53:06 -0700, Jordan Hubbard wrote:
>> That fix relies on the extensive PAM updates in -CURRENT however; in
>> -STABLE it can probably be similarly replicated via appropriate tweaking
>> of sshd (?).
>
> Why not fix it in stable by the very simple tweaking of the
> Ch
45 matches
Mail list logo