FvwmButtons: stop listening for incoming TCP connections #1030
Conversation
libs/fsm.c
Outdated
| fvwm_debug(__func__, "[%s][fsm_init] " | ||
| "Security risk: _IceTransNoListen is not available. " | ||
| "Cannot stop listening for TCP connections.\n" | ||
| "A firewall is strongly recommended. " | ||
| "See https://github.com/fvwmorg/fvwm3/issues/1029\n", module_name); | ||
| #endif | ||
|
|
||
|
|
There was a problem hiding this comment.
Absolutely not!
There is no need for this to be logged like this.
First of all, I don't want to log sensationalist messages like this.
Second of all, there's absolutely no security risk at all with FvwmButtons listening on TCP. FVWM already has an open socket to send commands to (which also includes executing arbitrary commands), so there's no explicit exploit here.
Please remove this entire block, and stop inciting unnecessary FUD.
|
Thanks, @vladrich There's no way I'm merging this as-is. Comments and corrections given to the PR. |
libs/fsm.c
Outdated
| #else | ||
| fvwm_debug(__func__, "[%s][fsm_init] " | ||
| "_IceTransNoListen is not available. " | ||
| "Cannot stop listening for TCP connections.\n", module_name); | ||
| #endif | ||
|
|
||
|
|
There was a problem hiding this comment.
Skip the else block entirely, please.
There was a problem hiding this comment.
I have removed the output completely now. I do want to point out though that without _IceTransNoListen, FVWM is accepting remote connections. Anyone with a network route to the machine can, in the very least, crash FvwmButtons. Unless I am missing something here, this does look like a security risk to me.
There was a problem hiding this comment.
Actually, no. It's not a big security risk.
I will merge this.
Fixes #1029