X server does not have an option to specify which address to listen on for TCP connections

Carsten Haitzler (The Rasterman) raster at rasterman.com
Mon May 11 18:03:18 UTC 2020 

On Mon, 11 May 2020 14:38:48 +0000 ornx <ornx at protonmail.com> said:

> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Monday, May 11, 2020 8:18 AM, Attila Kinali <attila at kinali.ch> wrote:
> 
> > On Mon, 11 May 2020 01:41:11 +0000
> > ornx ornx at protonmail.com wrote:
> >
> > > why?
> >
> > Probably because it has never come up? X was intended to be used
> > on desktops, which, usually, had only a single network interface.
> > In case restrictions were needed, xauth/xhost provided the means
> > to limit access. These days TCP is even disabled on most distros
> > by default, for security reasons.
> >
> > Attila Kinali
> 
> >X was intended to be used on desktops
> is this really true? my understanding is that X has always had a networked
> client/server model

This has not been true for a long time. X has become highly local. This has
been covered in many blogs, conference presentations etc. over the years. You
are quoting a design ethos from the 80's and maybe 90's that has long since
died since then. :)

> my use case is that i need X to use TCP so that i can intercept its traffic
> with wireshark for debugging purposes, but i only need this server accessible

use xscope instead probably. It understands x protocol... :)

> on the loopback interface and specifically do not want it listening on any
> other interfaces for basic security reasons of not giving programs any
> network resources that they do not strictly need. using xauth/xhost seems
> insufficient for this purpose, because i already know that i do not want any
> external traffic to be able to access the server, why do i need to decide
> this at the application level instead of specifying it at the network level?
> what if there is a bug in the X authentication mechanism? the workaround for
> this is also rather inconvenient and requires specialized knowledge, to
> prevent external network traffic from reaching X now involves writing
> firewall rules instead of merely setting a flag limiting the interfaces that
> X is listening on. it is also at odds with normal networking application
> behavior, i have actually never encountered a program before that listened on
> a port but did not allow to specify the listening interface
> 
> is the reason why this behavior has not been implemented in Xorg simply
> because nobody has thought to add it, or is there a specific reason that it
> was left out? if someone provided a patch implementing this behavior, would
> it have a chance of being merged?
> _______________________________________________ xorg at lists.x.org: X.Org
> support Archives: http://lists.freedesktop.org/archives/xorg Info:
> https://lists.x.org/mailman/listinfo/xorg Your subscription address: %
> (user_address)s


-- 
------------- Codito, ergo sum - "I code, therefore I am" --------------
Carsten Haitzler - raster at rasterman.com

More information about the xorg mailing list