Re: X Windows question

[Nick Holland <nick_(_at_)_holland-consulting_(_dot_)_net>]

Dave Anderson wrote:
> I've spent some time googling the net and searching the OpenBSD mailing
> list archives, man pages, and FAQ, and haven't found anything that
> answers this question: what are the security implications of running
> the X Windows *client* software on an OpenBSD firewall or server
> system?  I remember from years back (and some of the stuff my searching
> turned up confirms) that running the X Windows *server* software on
> such a system is not a great idea, but I haven't found anything about
> the client side.

I don't think running an X server on your firewall is all that horrible
of a security issue by itself.  HOWEVER, people rarely run X by itself.
 Rather, they run X to run some application that requires X.

<warning="Broad, general statement">
Almost by definition, an app that uses X is more about pretty than about
security.
</warning>

In my mind, X isn't the big problem.  If I simply wanted to run top(1)
and vi and a few other things at the same time to maintain my firewall,
I'd not worry much about running X on it.  The problem is the X apps.

If you run Mozilla on your firewall, even without X, and someone gets
you to go to a website which exploits a flaw in Mozilla, the machine at
most risk is your firewall, not your X server.

If anything...I think you would be better off running X on your
firewall, and using it as an X term for another box running Mozilla.
Preferably, on someone else's network. :)

<warning="Broad, general statement">
Keep your firewalls as simple as possible.  The fewer things on them,
the lower the risk
</warning>


Nick.