Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 18 Sep 2003 13:48:50 +0400
From: Solar Designer <>
Subject: Re: a graphical Owl

On Tue, Sep 16, 2003 at 12:26:33PM +0000, wrote:
> i'm tryng to use Owl as primaty os because i like a lot this distro, but i 
> need also a graphical context.
> my optimus should be a kde 3.1 (with liquid style) and X 4.3.. 
> but i'm opened to every solution.
> in the condition of Owl 1.0 which are rpm, libraries or source i need
> and what are the known problems with that (mainly at securiyt level)
> or at graphical ie: with slk 9.0 and X 4.3 fonts look very bad nor with X 4.2.

While Owl is intended for servers and we have no intent to ever
include X in the base system, yes, you can also use it on a desktop if
you like.  I do.

There're several approaches:

1. Use binary packages from Red Hat Linux 6.2 updates, or from a RHL
6.x clone.  This is probably the easiest.  There're just two caveats
that I remember: their X server package relies on pam_console, which
we chose to not package, and xlock will need special permissions to
work on Owl.

The first is solved by replacing the pam_console line in
/etc/pam.d/xserver with:

auth       required     /lib/security/ item=user sense=allow onerr=fail file=/etc/xserver.allow

Then you list the users which need to run X in /etc/xserver.allow.

The second is solved by making /usr/X11R6/bin/xlock SGID to group
chkpwd, like this:

-rwx--s--x    1 root     chkpwd     751328 Mar 30  2001 /usr/X11R6/bin/xlock

I've tested this setup with WindowMaker as the window manager.  I
don't use or like KDE, sorry.

The obvious drawback of this approach is that the versions of XFree86
and other software you may install in this way are rather old.  Some
may also contain known vulnerabilities (you'd get less if you bother
to check RHL 6.2 updates).

2. Try and build newer packages, such as from Red Hat Rawhide.  Some
will likely require minor tweaking of RPM .spec files, so be prepared.
I haven't tried this for XFree86 itself, but I built things such as
Mozilla on Owl in this way.

3. Build everything from source, without the use of packages, and
install under /usr/local.  I know people have been doing that:

Some generic advices on using X reasonably safely:

It's a good idea to create group xusers and restrict access to either
the X server binary or to /usr/X11R6/bin/Xwrapper (make it mode 4710,

Make sure you either filter the X server ports (6000/tcp and a few
above it in case you ever run a second, third, etc. instance of X
server), or tell it to not listen for TCP connections (start it as
"startx -- -nolisten tcp").  Note that if you use SSH X11 forwarding,
the SSH client will need to be permitted to connect to your X server
via TCP locally.

In order to use xlock meaningfully, you may start X by adding these
lines to your /etc/profile.d/ (create one):

if [ "`tty`" = "/dev/tty1" -a -n "`fgrep -x "$USER" /etc/xserver.allow`" ]; then
	exec startx -- -nolisten tcp

Alexander Peslyak <>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598 - bringing security into open computing environments

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.