Other CDE Users Unite!

cy@ said:
<sigh> dbus and the like are a reimplementation of an old concept. The mainframe had (MVS) and has (zOS) the subsystem interface. Messages are passed to a function which in turn calls all its subsystems (apps that have registered with it) callbacks to notify it of the event/data. Unfortunately for UNIX/Linux, there was no one standard. It's the Wild West here.
Click to expand...
One of my favorite parts of MVS!
 
Alain De Vos said:
I consider CDE vulnerable as long as they open ports...
Click to expand...
This is not wrong in the abstract if by "open ports" you mean "open listening ports", but extend that and any program that opens listening ports is vulnerable.
Heck even X and CUPS open ports.

If your house has windows and doors they are vulnerable to breakins, that's why you have locks.

But that's why people run a "workstation" firewall that starts with "default deny in" so unless explicitly allowed connections originating from outside the box are denied but connections originating inside the box are.

If your workstation running CDE is directly connected to the greater Internet you need to really think about it, if it's directly connected to your home network or enterprise network there should be something upstream of your workstation doing firewalling.
 
I highly recommend not to expose any open ports on a workstation or laptop unless you exactly want access. Don't expect firewalls everywhere and be aware hacked machines are often used to search the local ethernet link (that is not firewalled) for vulnerable applications. Especially in Windows environments this is very common and often the way to infect many machines with malware if one hacked machine exists.

On Linux, I use firewalld and on freebsd I have ipfw with a custom ruleset, so I can use unreach/unreach6 for denied packets and allow ssh etc.
 
DerTeufel said:
Which ports are opened and are they bound to ::1 or 127.0.0.1 or to ::/0.0.0.0?
Click to expand...
If you look at the pkg message for CDE you wind up starting rpcbind, which I think defaults to port 111 on INADDR_ANY, but you can specify a listening address which I guess could be lo, then you can tweak a line in inetd.conf for port 6112, again, probably bind to lo. Not sure what the third one is but I think unless you are specifically running an old school server they are default deny inbound on workstations.
 
mer said:
If you look at the pkg message for CDE you wind up starting rpcbind, which I think defaults to port 111 on INADDR_ANY, but you can specify a listening address which I guess could be lo, then you can tweak a line in inetd.conf for port 6112, again, probably bind to lo. Not sure what the third one is but I think unless you are specifically running an old school server they are default deny inbound on workstations.
Click to expand...
Not only CDE uses rpcbind but legacy NFS (NFSv3) does as well. You can limit what rpcbind listens to in rc.conf.

If a person doesn't use the CDE calendar (I don't, I 've used plan for decades) one doesn't need cmsd. Just don't start it.

deskutils/plan has a cmsd-like utility called netplan. I don't need it either as I don't share my calendar.
 
You must log in or register to reply here.
Back
Top