VNC Security - How can I mollify IT Dept's concerns?
Rob Treuer
RTreuer "at" ati.com
Thu, 16 Mar 2000 17:52:31 +0000
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01BF8F6F.B3CDC6D4
Content-Type: text/plain;
charset="iso-8859-1"
Yes, it is possible to use Xvnc without making /tmp/.X11-unix world
writeable.
One of your sys-admins will have to do this as "root":
chown root:root /some_path/Xvnc
chmod g+s /some_path/Xvnc
The trick is to make the ownership and permissions of the Xvnc executable
match the default (non-VNC) X server executable already on your unix system.
On most unix systems, the default X server has this kind of permission:
-r-xr-sr-x 1 root root [file-size] [date] /usr/some_path/bin/X
The owner and group of this file are both "root",
and the "group-ID bit" is set (this shows up as an "s" where the "x" usually
would be, in the group section of the permission string).
> -----Original Message-----
> From: P Stetson [mailto:scaythe "at" mail.com]
> Sent: Thursday, March 16, 2000 9:57 AM
> To: vnc-list "at" uk.research.att.com
> Subject: VNC Security - How can I mollify IT Dept's concerns?
>
>
> Hello all,
>
> I am relatively new to vnc and very new to this list.
>
> I used vnc (with much success) for about a week or two before the IT
> department where I work found out. As the issue developed it
> turns out that
> the need to make the /tmp/.X11-unix directory world writeable
> is against the
> security policy of our company. I suggested making it group
> writeable and
> changing it's group, but they say that it is still a
> potential issue and
> will not do it.
>
> My question is this... how can I get around this problem? I
> am not a unix
> guru, nor am I a security expert, so I cannot refute their
> claims. Will
> using SSH eliminate the security risks? Is there a way to
> use vnc without
> making the /tmp/.X11-unix directory world writeable (or even group
> writeable)?
>
> I would really appreciate some help with this as I found vnc
> to be very
> superior to eXceed (what I'm stuck using if I can't use vnc),
> both in speed
> and flexibility.
>
> Best regards,
> Sean
>
> end
>
> ______________________________________________
> FREE Personalized Email at Mail.com
> Sign up at http://www.mail.com/?sr=signup
>
>
> ---------------------------------------------------------------------
> To unsubscribe, send a message with the line: unsubscribe vnc-list
> to majordomo "at" uk.research.att.com
> See also: http://www.uk.research.att.com/vnc/intouch.html
> ---------------------------------------------------------------------
>
------_=_NextPart_001_01BF8F6F.B3CDC6D4
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2650.12">
<TITLE>RE: VNC Security - How can I mollify IT Dept's concerns?</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=3D2>Yes, it is possible to use Xvnc without making =
/tmp/.X11-unix world writeable.</FONT>
<BR><FONT SIZE=3D2>One of your sys-admins will have to do this as =
"root":</FONT>
</P>
<P><FONT SIZE=3D2>chown root:root =
/some_path/Xvnc</FONT>
<BR><FONT SIZE=3D2>chmod g+s /some_path/Xvnc</FONT>
</P>
<P><FONT SIZE=3D2>The trick is to make the ownership and permissions of =
the Xvnc executable</FONT>
<BR><FONT SIZE=3D2>match the default (non-VNC) X server executable =
already on your unix system.</FONT>
<BR><FONT SIZE=3D2>On most unix systems, the default X server has this =
kind of permission:</FONT>
<BR><FONT SIZE=3D2>-r-xr-sr-x 1 =
root root [file-size] =
[date] /usr/some_path/bin/X</FONT>
<BR><FONT SIZE=3D2>The owner and group of this file are both =
"root",</FONT>
<BR><FONT SIZE=3D2>and the "group-ID bit" is set (this shows =
up as an "s" where the "x" usually</FONT>
<BR><FONT SIZE=3D2>would be, in the group section of the permission =
string).</FONT>
</P>
<P><FONT SIZE=3D2>> -----Original Message-----</FONT>
<BR><FONT SIZE=3D2>> From: P Stetson [<A =
HREF=3D"mailto:scaythe "at" mail.com">mailto:scaythe "at" mail.com</A>]</FONT>
<BR><FONT SIZE=3D2>> Sent: Thursday, March 16, 2000 9:57 AM</FONT>
<BR><FONT SIZE=3D2>> To: vnc-list "at" uk.research.att.com</FONT>
<BR><FONT SIZE=3D2>> Subject: VNC Security - How can I mollify IT =
Dept's concerns?</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> Hello all,</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> I am relatively new to vnc and very new to this =
list.</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> I used vnc (with much success) for about a week =
or two before the IT</FONT>
<BR><FONT SIZE=3D2>> department where I work found out. As the =
issue developed it </FONT>
<BR><FONT SIZE=3D2>> turns out that</FONT>
<BR><FONT SIZE=3D2>> the need to make the /tmp/.X11-unix directory =
world writeable </FONT>
<BR><FONT SIZE=3D2>> is against the</FONT>
<BR><FONT SIZE=3D2>> security policy of our company. I =
suggested making it group </FONT>
<BR><FONT SIZE=3D2>> writeable and</FONT>
<BR><FONT SIZE=3D2>> changing it's group, but they say that it is =
still a </FONT>
<BR><FONT SIZE=3D2>> potential issue and</FONT>
<BR><FONT SIZE=3D2>> will not do it.</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> My question is this... how can I get around =
this problem? I </FONT>
<BR><FONT SIZE=3D2>> am not a unix</FONT>
<BR><FONT SIZE=3D2>> guru, nor am I a security expert, so I cannot =
refute their </FONT>
<BR><FONT SIZE=3D2>> claims. Will</FONT>
<BR><FONT SIZE=3D2>> using SSH eliminate the security risks? =
Is there a way to </FONT>
<BR><FONT SIZE=3D2>> use vnc without</FONT>
<BR><FONT SIZE=3D2>> making the /tmp/.X11-unix directory world =
writeable (or even group</FONT>
<BR><FONT SIZE=3D2>> writeable)?</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> I would really appreciate some help with this =
as I found vnc </FONT>
<BR><FONT SIZE=3D2>> to be very</FONT>
<BR><FONT SIZE=3D2>> superior to eXceed (what I'm stuck using if I =
can't use vnc), </FONT>
<BR><FONT SIZE=3D2>> both in speed</FONT>
<BR><FONT SIZE=3D2>> and flexibility.</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> Best regards,</FONT>
<BR><FONT SIZE=3D2>> Sean</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> end</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> =
______________________________________________</FONT>
<BR><FONT SIZE=3D2>> FREE Personalized Email at Mail.com</FONT>
<BR><FONT SIZE=3D2>> Sign up at <A =
HREF=3D"http://www.mail.com/?sr=3Dsignup" =
TARGET=3D"_blank">http://www.mail.com/?sr=3Dsignup</A></FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> =
---------------------------------------------------------------------</F=
ONT>
<BR><FONT SIZE=3D2>> To unsubscribe, send a message with the line: =
unsubscribe vnc-list</FONT>
<BR><FONT SIZE=3D2>> to majordomo "at" uk.research.att.com</FONT>
<BR><FONT SIZE=3D2>> See also: <A =
HREF=3D"http://www.uk.research.att.com/vnc/intouch.html" =
TARGET=3D"_blank">http://www.uk.research.att.com/vnc/intouch.html</A></F=
ONT>
<BR><FONT SIZE=3D2>> =
---------------------------------------------------------------------</F=
ONT>
<BR><FONT SIZE=3D2>> </FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01BF8F6F.B3CDC6D4--
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to majordomo "at" uk.research.att.com
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------