[Newbies] Re: Troubleshooting headless running of RFB

Bert Freudenberg bert at freudenbergs.de
Wed Jul 16 17:17:51 UTC 2008

Am 16.07.2008 um 04:55 schrieb John Chandler:

> On Jul 16, 2008, at 1:06 AM, Klaus D. Witzel wrote:
>> Hi John,
>> on Wed, 16 Jul 2008 00:48:42 +0200, you wrote:
>>> I installed the RFB (vnc viewer/server) package on my Debian server,
>>> to which I don't have console access.  There appears to be a problem
>>> with it, because the connection is refused.
>>> [...]
>> Did you configure RFBServer to allow remote connections?
>> Before you saved the snapshot, did you close all connections (also  
>> from RFBServer's connections submenue)?
> Yes. The problem was more basic: root privileges are required.  D-OH!
> I should have known this, but while I avoid running as root as a very
> ingrained policy, this makes it impossible to open a socket to the  
> outside
> world.
> I looked around for a discussion of security issues with Seaside,  
> and didn't
> come up with much.

I am certain there are discussions of this. You should ask on the  
Seaside list, too.

I don't think anyone serious runs their Seaside installation as root.  
Most common is to proxy via Apache, but you can also use firewall  
settings to make your Seaside port appear as port 80 to the outside  
world, even though it actually is running on a non-privileged port.

> Are there ways of limiting the damage a malicious
> person could get a root-enabled Squeak to do?  I know it's a bit more
> obscure than Apache, but still.
> Thanks for answering.

Again, I'm not saying running as root is a good idea, but you can  
enable the VM-level file sand-boxing:

	SecurityManager default disableFileAccess

which will restrict all file access to

	SecurityManager default untrustedUserDirectory

Of course this only makes sense if you do not include the FFI plugin  
which can call any C function in any library directly. And besides, do  
not run as root.

- Bert -

More information about the Beginners mailing list