depends on vnc-server???

3 posts / 0 new
Last post
#1 Fri, 02/16/2007 - 03:06
JohnFord

depends on vnc-server???

I haven't got a chance to look into this in depth yet and am wondering if someone might know instantly and have the time to reply.

I don't like vncserver... on yeah... it's good... real good... but I just don't feel comfortable with it from a security standpoint. I found scripts that will load it without anyone knowing and not ever evening showing anywhere in the taskbar

anyways... every RedHat install I've done - (3-4 in the past three weeks - just trying to get a server up and deciding what operating system to use) I have delibrately made sure it was unchecked as a program I wanted installed.

two days ago when I decided that doing a fresh install (again) with the fedora6 and letting jamie/joe's install.sh do it's thing. I noticed that something needed it as a dependency? what?

I didn't even look all all the depends needed... I just clicked yes when yum wanted to do them... but I noticed it when the downloads were ticking away.

I did things in this order because it was how I understood what joe was saying about errors. I installed basic server fed6... then I did a yum update - (which took 5-6 on 768k dsl) -/ I think this is when I saw the vnc-server depend being downloaded... then I did the install.sh.

anyways... I entered - rpm -e --test vncserver and it was not a known rpm (I was hoping it would tell me what depended on it) - I then did the same with vnc-server and it did not tell me that it was not installed... so it must be.

It did not tell me that anything required it... it just didn't complain as if I run the command without the --test option and it'll remove it without being forced. (I have removed it now). I see now that the package name is vnc-server and so that is why vncserver without the hyphen yielded an error.

fedora6 shows the name of the service as vncserver (by going to System/Adminstration/Server Settings/Services)

I'm telling you that I know that I didn't have it checked as if I wanted it installed... something said it needed it as a depend and that is what I saw ticking away when I was monitoring the upgrade download... "downloading dependablity vnc-sever" (or some wording very similar).

Any ideas about what would claim or even really need this as a depend? Come-on... what "depends" on you setting up a vnc server that give them complete control of your system? It does not compute except perhaps for malicious intent.

Then too... doing an rpm erase yielded no complaints about depends. so why did redhat fedora6 say it was a depend for the paks I did want... It's just bugging me.

I don't like vnc for my web server - I like webmin and now virtualmin. there are too many ways for someone to leave a trail behind if they breakin to webmin but too easy to come and go with vnc.

I never have chose vnc for my server but it looks like it keeps trying to choose me with this redhat.

Get this... browse/install programs, then if you click on network servers - you'll have to unclick vnc-server as it's one of the clicked-for-you "optional packages". I just don't understand why it's pushed so much and then supposedly depended on when it was not needed because I easily removed it without having to do a --force.

Am I being too paranoid? If anyone has input I would appreciate it.

/johnford

Fri, 02/16/2007 - 11:55
Joe
Joe's picture

Hey John,

I'm not sure where the vnc dependency would come from. We don't need it for anything, and none of our packages require it. There might be some package that we depend on, within the Fedora repository...but I'd be surprised.

I don't particularly care to have X or vnc on any server I run, unless I need it for something specific. It is useful for qemu/kvm, because you can export the console via vnc, but I can't think of any other good reason for it on a server system. But, there is no harm in it being installed--it doesn't get setup to run, by default, and even if you choose to have it run, it won't start until you set a password...so you'd have to jump through a couple of hoops to make it actually start up, regardless of it being installed. So, you're perhaps being a bit paranoid, in that it won't be running just because it is installed...but starting it up should be done only with caution (i.e. don't allow a root-level vnc session) and only if you actually need it for something specific.

I'll try to remember to watch the next test install I run on FC6 to see if I can figure out why that would get pulled in during our install process--nothing immediately comes to mind as a possible culprit when I look at our dep lists.

--

Check out the forum guidelines!

Fri, 02/16/2007 - 13:16 (Reply to #2)
JohnFord

Thanks for the input. What's paranoid about it for me is that maybe some script set it up for it's own need.

I didn't think that far along so far as if it is installed it probably isn't set up... my thinking was more along the lines of if something claimed it was dependent then it would set it up as it needs.

But I see your line of reasoning. At least this is how I'm thinking after your post. If something depended on it... some day I might click on some redhat feature and it come back with some response like vnc-server needs to be configured to perform this operation or some other such language.

I just don't like the software being on the system and some script being able to set it up at will just by looking for it in a default spot. There are a few scripts you can find that install it remotely virtually undetected and my security thinking is that if someone has/wants to do it to my system let em' upload it too; and do it that way as I don't want it lying around and just making it easier for them.

I used the word paranoid because I can't imagine redhat doing any bad stuff... neither can I of you/yours or any associated with this group. I didn't think it had anything to do with install.sh. In fact, I have delibrately tharwted it's attempts to install itself for each new install I have done. 3-4 the past 3 weeks.

1. it's a checked-for-you-<b>option[/b>if you add packages - I thought maybe because many really like it and so redhat just checks it for you.
2. It gets installed as a depend but the whole depend is a mystery.
3. uninstalling it is easy without any --force complaint; adding further to the mystery.

I figure this post is a place for the fedora forums but haven't had time and was hoping someone here already would have dealt with it; but, if not, that all would probably be interested.

I would be interested in your input/finding if you see what I'm referring to in your future installs.

I really haven't changed much at all from the base install except that I installed java for the browser and berkely db because I want to get ldap working with its database.

Topic locked