previously on this list Jules Gilbert contributed: > Also, I've heard that running X weakens > security, I'm going to OpenBSD because my FreBSD based Mac is, > apparently, where hackers go to relax. Can I strengthen the X component?
Well that's got a never ending answer but the main points. OpenBSD's xenocara uses priviledge seperation so X does not run as root. Why Linux has not picked up these patches I have no idea and I guess FreeBSD hasn't. Hardened Gentoo users sometime run X as a seperate user but as it is unpatched/unseperated they lose usb plug n play support. Also if you use an intel or non-ancient ATI chip then you can leave machdep.allowaperture at 0 and in fact I believe the installer now does for many, All? cards. That's a big deal as when the aperture is set to 2 it gives a potential opportunity to the heart of the system and can be used to bypass SELinux on desktops that regard that as their saving grace/excuse and such. The similar grsecurity option is disable raw I/O but again requires KMS drivers. -- _______________________________________________________________________ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) In Other Words - Don't design like polkit or systemd _______________________________________________________________________
