Re: CDE Without ToolTalk?

From: George Capehart (
Date: 09/07/02

Date: Sat, 07 Sep 2002 17:41:30 -0400
From: George Capehart <>

"Crist J. Clark" wrote:
> Does anyone have a reference on how to lock down CDE?

Yes. Don't install the X Window system . . . *grin*

Seriously, though, in some shops, servers are headless and administered
remotely via ssh or locally over the serial port. It's been a couple of
years since I actually had my hands on a Sun box, but at that time,
there was nothing that necessitated an admin needing CDE to administer
the box . . . If you need multiple sessions there are a couple of ways
to accomplish that:

 o most of the *sh family support putting processes in the background
and then recalling them

 o emacs - there have been days in which I started emacs and then didn't
leave it until I logged out to go home

 o screen - supports multiple virtual terminals

 When asked to
> "harden" a Sun server, one of the first things to do is go through
> inetd.conf and take everything out but the basics, or even better, not
> run inetd at all.
> But the admins really don't like that since it breaks CDE. I don't
> like being stuck at the console prompt with one shell either. I
> wouldn't think it would be a lot to ask to just have a windowing
> environment so we can have multiple ttys going at once, but not have
> all of the extra network services like the dreaded ToolTalk server.

There are some serious InfoSec types (and *all* BOFHs) who would
seriously question the level of expertise of a sysadmin who would whine
about not being able to administer a server without a GUI. See the
above comments about ways to have multiple things/virtual
terminals/shells. I've really got to wonder whether these guys really
know their way around . . . That may sound harsh, but it's true.

> Is there a way to get CDE going? It bails out for me once it finds it
> can't start up ToolTalk. Am I stuck going to a different windowing
> system (isn't Openwin depricated these days?)?
> (I think this has been covered before here, but SecurityFocus's search
> page keeps telling me the server is too busy, and I haven't had any
> luck Googling. Thanks.)
> --
> Crist J. Clark |
> |
> |

George W. Capehart

Capehart Associates LLC Phone: +1 704.678.1660 1604 Nottingham Drive Fax: +1 704.853.2624 Gastonia, NC 28054

"We did a risk management review. We concluded that there was no risk of any management." -- Dilbert

Relevant Pages

  • Re: CDE Without ToolTalk?
    ... console server with network connectivity. ... > But the admins really don't like that since it breaks CDE. ... You can ssh into the server multiple ...
  • Re: Performance issues on tandem H series application
    ... multiple threads for a single queue configured under multiple ... Are you using TMF and locking the same record in each of the server ... when do you start the transaction? ...
  • Re: Question about WMI connection and concurrent use
    ... Each one should act as an independent client to the proxy. ... It should run multiple threads - one ... WMI is multi-threaded and has an asynchronous ... >> My only server, which is allowed to make snmp queries [which I call the ...
  • Re: Benefits of a backup domain controller
    ... This is a very good point about multiple DC's and recovery. ... restore it from any good image backup with no problem if necessary. ... Once you introduce a second domain controller, ... of the biggest hurdles in any failover scenario-- one DHCP server ...
  • Re: [Full-Disclosure] XP vs 2K
    ... some services (server, messenger, etc) for security, ... Some things to administer the system are almost buried ... Charter: ...