[Newbies] Re: Troubleshooting headless running of RFB
Bert Freudenberg
bert at freudenbergs.de
Wed Jul 16 17:17:51 UTC 2008
Am 16.07.2008 um 04:55 schrieb John Chandler:
> On Jul 16, 2008, at 1:06 AM, Klaus D. Witzel wrote:
>> Hi John,
>>
>> on Wed, 16 Jul 2008 00:48:42 +0200, you wrote:
>>
>>> I installed the RFB (vnc viewer/server) package on my Debian server,
>>> to which I don't have console access. There appears to be a problem
>>> with it, because the connection is refused.
>>>
>>> [...]
>>
>> Did you configure RFBServer to allow remote connections?
>>
>> Before you saved the snapshot, did you close all connections (also
>> from RFBServer's connections submenue)?
>
> Yes. The problem was more basic: root privileges are required. D-OH!
>
> I should have known this, but while I avoid running as root as a very
> ingrained policy, this makes it impossible to open a socket to the
> outside
> world.
>
> I looked around for a discussion of security issues with Seaside,
> and didn't
> come up with much.
I am certain there are discussions of this. You should ask on the
Seaside list, too.
I don't think anyone serious runs their Seaside installation as root.
Most common is to proxy via Apache, but you can also use firewall
settings to make your Seaside port appear as port 80 to the outside
world, even though it actually is running on a non-privileged port.
> Are there ways of limiting the damage a malicious
> person could get a root-enabled Squeak to do? I know it's a bit more
> obscure than Apache, but still.
>
> Thanks for answering.
Again, I'm not saying running as root is a good idea, but you can
enable the VM-level file sand-boxing:
SecurityManager default disableFileAccess
which will restrict all file access to
SecurityManager default untrustedUserDirectory
Of course this only makes sense if you do not include the FFI plugin
which can call any C function in any library directly. And besides, do
not run as root.
- Bert -
More information about the Beginners
mailing list