Re: make gnome listen on localhost:*

[famrom idecnet com (Guillermo S. Romero / Familia Romero)]

>For example, we could disable X server network access as well, requiring a
>config file change to use it, and probably 99% of desktop users wouldn't
>notice. But since you and I both likely happen to be in the set of people
>who do use this feature, we would both protest against doing this.

Uuumm... by default you have tu use first "xhost +inet:machine" to allow
other machines to show things in your X display. At least that is how are
configured the latest RH I have used (correct me if I am wrong, maybe I
touched something in my machines).

>The reason I hate the suggested type of solution is because it is a hack
>that only works for a very special set of apps, and will ultimately cause
>conflicts with valid uses.
[...]
>Is anyone interesting in coming up with "the proper solution" that sets a
>safe default config and makes it easy to make changes? I might be
>interested in helping with such a thing.

I dunno if the X method is bad or good, but at least does not sound bad. It
could be a solution: by default connections are forbidden, when user tries
to get a remote app, he has first to run a ghost (g for GNOME, ohost for
ORB?) to allow it or will get a message saying that the connection has not
been allowed and should issue a ?host command first.

Of course, as in X's xhost, all this means console operations, dunno how to
handle in full graphical mode, maybe there should one service hearing all
messages and the remote app would use it to report the error (of course this
service should be armoured to avoid DoS due overloads and such).

BTW about firewalls, from what I know they are a thing to add, not the only
thing to have. A secure system must be secure, and to increase it (ie to fix
problems due config errors or new bugs) you add a firewall (or more). As one
layer will have holes, you put lot of layers trying to close all holes, or
at least mimize the problems. Leaving all the work to firewalls is not sane,
IMHO.

GSR