<article>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#article09_07_09_2050226</id>
	<title>Moblin Will Run X Server As Logged-In User, Not Root</title>
	<author>timothy</author>
	<datestamp>1247129640000</datestamp>
	<htmltext>nerdyH writes <i>"An architect of the Moblin Project has announced that Moblin 2.0 for netbooks and nettops is the <a href="http://moblinzone.com/blog/309/52/Moblin\_20\_fixes\_Linux\_security\_hole">first Linux distribution to run the X server as the logged-in user, rather than SUID'd to root</a>. The fix to this decades-old security liability comes thanks to 'NRX' (No-root X) technology reportedly developed by Intel, Red Hat, and others in the X community, and the Moblin-sponsored 'Secure X' project. Besides making Linux netbooks a lot more snoop-proof, it seems like this could lead to an X-hosting renaissance of sorts, since you wouldn't be risking the whole system just to open up a specific user's account to remote X servers."</i></htmltext>
<tokenext>nerdyH writes " An architect of the Moblin Project has announced that Moblin 2.0 for netbooks and nettops is the first Linux distribution to run the X server as the logged-in user , rather than SUID 'd to root .
The fix to this decades-old security liability comes thanks to 'NRX ' ( No-root X ) technology reportedly developed by Intel , Red Hat , and others in the X community , and the Moblin-sponsored 'Secure X ' project .
Besides making Linux netbooks a lot more snoop-proof , it seems like this could lead to an X-hosting renaissance of sorts , since you would n't be risking the whole system just to open up a specific user 's account to remote X servers .
"</tokentext>
<sentencetext>nerdyH writes "An architect of the Moblin Project has announced that Moblin 2.0 for netbooks and nettops is the first Linux distribution to run the X server as the logged-in user, rather than SUID'd to root.
The fix to this decades-old security liability comes thanks to 'NRX' (No-root X) technology reportedly developed by Intel, Red Hat, and others in the X community, and the Moblin-sponsored 'Secure X' project.
Besides making Linux netbooks a lot more snoop-proof, it seems like this could lead to an X-hosting renaissance of sorts, since you wouldn't be risking the whole system just to open up a specific user's account to remote X servers.
"</sentencetext>
</article>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642641</id>
	<title>Is this right ?</title>
	<author>Anonymous</author>
	<datestamp>1247135460000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>4</modscore>
	<htmltext><p>I am not sure that this is the right solution.  Not running it as root is good, but running it as me - I don't know.  I'd rather that the user that runneth the X server is some sort of 'xserver' user - to whose process I connect.  That 'xserver' user then has the right to push my screen into VGA mode and all that.  Also, this doesn't fix all those other services (that gnome has, for example) that allow my X programs to mount stuff etc.  Which is, again, a security risk by itself.</p></htmltext>
<tokenext>I am not sure that this is the right solution .
Not running it as root is good , but running it as me - I do n't know .
I 'd rather that the user that runneth the X server is some sort of 'xserver ' user - to whose process I connect .
That 'xserver ' user then has the right to push my screen into VGA mode and all that .
Also , this does n't fix all those other services ( that gnome has , for example ) that allow my X programs to mount stuff etc .
Which is , again , a security risk by itself .</tokentext>
<sentencetext>I am not sure that this is the right solution.
Not running it as root is good, but running it as me - I don't know.
I'd rather that the user that runneth the X server is some sort of 'xserver' user - to whose process I connect.
That 'xserver' user then has the right to push my screen into VGA mode and all that.
Also, this doesn't fix all those other services (that gnome has, for example) that allow my X programs to mount stuff etc.
Which is, again, a security risk by itself.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642307</id>
	<title>Two questions:</title>
	<author>Anonymous</author>
	<datestamp>1247134260000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>1. Does this mean you can't login at a graphical interface?  I.e. will you have to login at a terminal and then wait for X server to come up?</p><p>2. If multiple users login, will each user get their own instance of X server?  This seems like overkill...</p></htmltext>
<tokenext>1 .
Does this mean you ca n't login at a graphical interface ?
I.e. will you have to login at a terminal and then wait for X server to come up ? 2 .
If multiple users login , will each user get their own instance of X server ?
This seems like overkill.. .</tokentext>
<sentencetext>1.
Does this mean you can't login at a graphical interface?
I.e. will you have to login at a terminal and then wait for X server to come up?2.
If multiple users login, will each user get their own instance of X server?
This seems like overkill...</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642189</id>
	<title>One of the shortcommings in security</title>
	<author>santax</author>
	<datestamp>1247133660000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Just got fixed by this. To be honest, I don't know how they've done it, but I know this is a good thing. This will make X and linux more secure and I can only applaud that.</htmltext>
<tokenext>Just got fixed by this .
To be honest , I do n't know how they 've done it , but I know this is a good thing .
This will make X and linux more secure and I can only applaud that .</tokentext>
<sentencetext>Just got fixed by this.
To be honest, I don't know how they've done it, but I know this is a good thing.
This will make X and linux more secure and I can only applaud that.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643313</id>
	<title>It's "X Window System", not "X Windows"</title>
	<author>Anonymous</author>
	<datestamp>1247138280000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Sorry for nit picking, but this seems to have been lost on the people who tagged "xwindows".</p></htmltext>
<tokenext>Sorry for nit picking , but this seems to have been lost on the people who tagged " xwindows " .</tokentext>
<sentencetext>Sorry for nit picking, but this seems to have been lost on the people who tagged "xwindows".</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28652419</id>
	<title>Re:Is this right ?</title>
	<author>vainvanevein</author>
	<datestamp>1247251980000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>I see no advantage to having the the X Server running as an "xserver" user versus running as a regular user. If there isn't an advantage, then its an unnecessary complication.</htmltext>
<tokenext>I see no advantage to having the the X Server running as an " xserver " user versus running as a regular user .
If there is n't an advantage , then its an unnecessary complication .</tokentext>
<sentencetext>I see no advantage to having the the X Server running as an "xserver" user versus running as a regular user.
If there isn't an advantage, then its an unnecessary complication.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642641</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642245</id>
	<title>Poor understanding of X</title>
	<author>Anonymous</author>
	<datestamp>1247134020000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>5</modscore>
	<htmltext><p>The article repeats the common misunderstanding: "in the backwards terminology of X"</p><p>What exactly is backwards about this?  X is the server, and the apps are clients.</p><p>Think about it: The client initiates the conversation with the server. The client tells the server what to do.</p><p>How is this backwards?</p></htmltext>
<tokenext>The article repeats the common misunderstanding : " in the backwards terminology of X " What exactly is backwards about this ?
X is the server , and the apps are clients.Think about it : The client initiates the conversation with the server .
The client tells the server what to do.How is this backwards ?</tokentext>
<sentencetext>The article repeats the common misunderstanding: "in the backwards terminology of X"What exactly is backwards about this?
X is the server, and the apps are clients.Think about it: The client initiates the conversation with the server.
The client tells the server what to do.How is this backwards?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28663157</id>
	<title>SunOS and Solaris have always operated this way.</title>
	<author>efalk</author>
	<datestamp>1247306640000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>2</modscore>
	<htmltext><p>I was a video driver developer for Sun for many years.  The window system *always* ran as the logged-in user.  When I started developing for Linux, I was appalled when I realized that Linux ran the windows server as root.</p><p>Here's how we did it at Sun:  For every supported video card, there is a device driver.  The driver provides basic services such as cursor and color-table management (there are advantages to doing this in the kernel), and additionally allows the user logged in at the console to map in the device registers.  This means that the window system doesn't need any special privileges to run.</p><p>There are other advantages to having a device driver manage user-level hardware mapping.  Not the least of which is that it allowed us to implement full-bore context switching at the device level.  The advantages of this are enormous.</p></htmltext>
<tokenext>I was a video driver developer for Sun for many years .
The window system * always * ran as the logged-in user .
When I started developing for Linux , I was appalled when I realized that Linux ran the windows server as root.Here 's how we did it at Sun : For every supported video card , there is a device driver .
The driver provides basic services such as cursor and color-table management ( there are advantages to doing this in the kernel ) , and additionally allows the user logged in at the console to map in the device registers .
This means that the window system does n't need any special privileges to run.There are other advantages to having a device driver manage user-level hardware mapping .
Not the least of which is that it allowed us to implement full-bore context switching at the device level .
The advantages of this are enormous .</tokentext>
<sentencetext>I was a video driver developer for Sun for many years.
The window system *always* ran as the logged-in user.
When I started developing for Linux, I was appalled when I realized that Linux ran the windows server as root.Here's how we did it at Sun:  For every supported video card, there is a device driver.
The driver provides basic services such as cursor and color-table management (there are advantages to doing this in the kernel), and additionally allows the user logged in at the console to map in the device registers.
This means that the window system doesn't need any special privileges to run.There are other advantages to having a device driver manage user-level hardware mapping.
Not the least of which is that it allowed us to implement full-bore context switching at the device level.
The advantages of this are enormous.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642883</id>
	<title>Re:Graphics drivers</title>
	<author>Hatta</author>
	<datestamp>1247136360000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext><p>If graphics drivers were implemented in the kernel instead of X, you would have to write new drivers for every kernel you want to run X on.</p></htmltext>
<tokenext>If graphics drivers were implemented in the kernel instead of X , you would have to write new drivers for every kernel you want to run X on .</tokentext>
<sentencetext>If graphics drivers were implemented in the kernel instead of X, you would have to write new drivers for every kernel you want to run X on.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642433</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642235</id>
	<title>Correct me if im wrong</title>
	<author>Anonymous</author>
	<datestamp>1247133900000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext><p>But running apps remotely and having them display on a local X server \_NEVER\_ required root access of any kind on the remote server....</p></htmltext>
<tokenext>But running apps remotely and having them display on a local X server \ _NEVER \ _ required root access of any kind on the remote server... .</tokentext>
<sentencetext>But running apps remotely and having them display on a local X server \_NEVER\_ required root access of any kind on the remote server....</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643755</id>
	<title>Re:Poor understanding of X</title>
	<author>Anonymous</author>
	<datestamp>1247140140000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>It's backwards from the perspective of a human being.  If for some reason you are a little metal box stuck in a rack closet somewhere with no lights and powerful A/C, maybe you could make the argument that the remote faraway desktop might be a "server" and you're a "client".  But in real language terms, you need to accept the fact that humanity has decided to call big boxes in server rooms "servers" and desktop computers on peoples' desktops "clients".</p><p>But no human being has ever thought that way, except when a bunch of guys throwing together the X protocol said "Oh, wow, man!  You know, like, what?  It's so cool!  It's totally reversed!  The client is the server and the server is the client!  Why don't we force everyone who is already calling this big enterprise hardware device a server to also call it a client?  Then we can force everyone who already calls their desktop computer a client to call them servers!  Won't that be wild!"</p><p>Get over yourself.  Once you start using language the way the rest of the world does, you will have a lot fewer snarky arguments that wind up with you feeling clever while the other person walks away shaking his or her head sadly.</p></htmltext>
<tokenext>It 's backwards from the perspective of a human being .
If for some reason you are a little metal box stuck in a rack closet somewhere with no lights and powerful A/C , maybe you could make the argument that the remote faraway desktop might be a " server " and you 're a " client " .
But in real language terms , you need to accept the fact that humanity has decided to call big boxes in server rooms " servers " and desktop computers on peoples ' desktops " clients " .But no human being has ever thought that way , except when a bunch of guys throwing together the X protocol said " Oh , wow , man !
You know , like , what ?
It 's so cool !
It 's totally reversed !
The client is the server and the server is the client !
Why do n't we force everyone who is already calling this big enterprise hardware device a server to also call it a client ?
Then we can force everyone who already calls their desktop computer a client to call them servers !
Wo n't that be wild !
" Get over yourself .
Once you start using language the way the rest of the world does , you will have a lot fewer snarky arguments that wind up with you feeling clever while the other person walks away shaking his or her head sadly .</tokentext>
<sentencetext>It's backwards from the perspective of a human being.
If for some reason you are a little metal box stuck in a rack closet somewhere with no lights and powerful A/C, maybe you could make the argument that the remote faraway desktop might be a "server" and you're a "client".
But in real language terms, you need to accept the fact that humanity has decided to call big boxes in server rooms "servers" and desktop computers on peoples' desktops "clients".But no human being has ever thought that way, except when a bunch of guys throwing together the X protocol said "Oh, wow, man!
You know, like, what?
It's so cool!
It's totally reversed!
The client is the server and the server is the client!
Why don't we force everyone who is already calling this big enterprise hardware device a server to also call it a client?
Then we can force everyone who already calls their desktop computer a client to call them servers!
Won't that be wild!
"Get over yourself.
Once you start using language the way the rest of the world does, you will have a lot fewer snarky arguments that wind up with you feeling clever while the other person walks away shaking his or her head sadly.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642245</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28645371</id>
	<title>Re:Is this right ?</title>
	<author>Anonymous</author>
	<datestamp>1247151840000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext><p><div class="quote"><p>What's the issue of having your user ID doing all this?</p></div><p>A remote hole in a process run as 'nobody' allows some log files to be trashed, maybe.</p><p>A remote hole in a process run as me allows all of my data to be destroyed.</p></div>
	</htmltext>
<tokenext>What 's the issue of having your user ID doing all this ? A remote hole in a process run as 'nobody ' allows some log files to be trashed , maybe.A remote hole in a process run as me allows all of my data to be destroyed .</tokentext>
<sentencetext>What's the issue of having your user ID doing all this?A remote hole in a process run as 'nobody' allows some log files to be trashed, maybe.A remote hole in a process run as me allows all of my data to be destroyed.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643567</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643499</id>
	<title>Re:Graphics drivers</title>
	<author>kelnos</author>
	<datestamp>1247139060000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>That's already been the case for the more mainstream cards (nvidia, AMD, Intel) for many years now.  They all require a kernel piece for 3D support.  nvidia, at least, has a single driver core that they use for multiple OSes, with a little translation layer for the particular kernel.  I don't know what the others do.</htmltext>
<tokenext>That 's already been the case for the more mainstream cards ( nvidia , AMD , Intel ) for many years now .
They all require a kernel piece for 3D support .
nvidia , at least , has a single driver core that they use for multiple OSes , with a little translation layer for the particular kernel .
I do n't know what the others do .</tokentext>
<sentencetext>That's already been the case for the more mainstream cards (nvidia, AMD, Intel) for many years now.
They all require a kernel piece for 3D support.
nvidia, at least, has a single driver core that they use for multiple OSes, with a little translation layer for the particular kernel.
I don't know what the others do.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642883</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28647739</id>
	<title>Re:One of the shortcommings in security</title>
	<author>kinnell</author>
	<datestamp>1247228760000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Lets say you are running a web browser on X and you load a malicious web site which exploits a flaw in your browser which enables it to communicate with the X server.  The X server has direct access to the video hardware, so if there is a flaw which an X client (your compromised web browser) can use to control your video card, you can do arbitrary DMA transfers outwith kernel control.  This is quite a complicated vector but it does exist, and requires either the X server to be flawless or all X clients to be flawless.  In effect you are offloading responsibility for your system security from the kernel to your X server.</htmltext>
<tokenext>Lets say you are running a web browser on X and you load a malicious web site which exploits a flaw in your browser which enables it to communicate with the X server .
The X server has direct access to the video hardware , so if there is a flaw which an X client ( your compromised web browser ) can use to control your video card , you can do arbitrary DMA transfers outwith kernel control .
This is quite a complicated vector but it does exist , and requires either the X server to be flawless or all X clients to be flawless .
In effect you are offloading responsibility for your system security from the kernel to your X server .</tokentext>
<sentencetext>Lets say you are running a web browser on X and you load a malicious web site which exploits a flaw in your browser which enables it to communicate with the X server.
The X server has direct access to the video hardware, so if there is a flaw which an X client (your compromised web browser) can use to control your video card, you can do arbitrary DMA transfers outwith kernel control.
This is quite a complicated vector but it does exist, and requires either the X server to be flawless or all X clients to be flawless.
In effect you are offloading responsibility for your system security from the kernel to your X server.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642843</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28654275</id>
	<title>Re:Poor understanding of X</title>
	<author>Anonymous</author>
	<datestamp>1247216820000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p><div class="quote"><p>But in real language terms, you need to accept the fact that humanity has decided to call big boxes in server rooms "servers" and desktop computers on peoples' desktops "clients".</p></div><p>No, <i>you</i> have to accept that just because stupid people are stupid and wrong doesn't mean that words suddenly start to mean something else.</p></div>
	</htmltext>
<tokenext>But in real language terms , you need to accept the fact that humanity has decided to call big boxes in server rooms " servers " and desktop computers on peoples ' desktops " clients " .No , you have to accept that just because stupid people are stupid and wrong does n't mean that words suddenly start to mean something else .</tokentext>
<sentencetext>But in real language terms, you need to accept the fact that humanity has decided to call big boxes in server rooms "servers" and desktop computers on peoples' desktops "clients".No, you have to accept that just because stupid people are stupid and wrong doesn't mean that words suddenly start to mean something else.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643755</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28647095</id>
	<title>Re:Poor understanding of X</title>
	<author>maxwell demon</author>
	<datestamp>1247219100000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>The client applications run on the server?</p><p>At least in the setups I'm used to, <em>no</em> client program may be run on dedicated server machines (if that is what you mean with "server"). After all, you don't want e.g. to get all computers unusable because some program runs wild on the central file server. When running X client software remotely, it's on <em>another "client" machine</em>, that is, on another of those machines not restricted for a certain purpose. In many cases it's a machine which you could in principle go to and work direcly on it, but why bother if you can as well log in remotely.</p><p>Now the server is traditionally the side which manages the ressource, and the client is the side which uses the ressource. With a file server, the server is running on the computer with the files, and the clients are the programs running elsewhere. And with the X server, the server is running on the computer with the display (i.e. your computer), and the client may run elsewhere. Note that if your remote X program also accesses files from a file server, the client is again your program running on the remote computer (your local computer isn't involved at all in that case, unless it happens to be the file server).</p></htmltext>
<tokenext>The client applications run on the server ? At least in the setups I 'm used to , no client program may be run on dedicated server machines ( if that is what you mean with " server " ) .
After all , you do n't want e.g .
to get all computers unusable because some program runs wild on the central file server .
When running X client software remotely , it 's on another " client " machine , that is , on another of those machines not restricted for a certain purpose .
In many cases it 's a machine which you could in principle go to and work direcly on it , but why bother if you can as well log in remotely.Now the server is traditionally the side which manages the ressource , and the client is the side which uses the ressource .
With a file server , the server is running on the computer with the files , and the clients are the programs running elsewhere .
And with the X server , the server is running on the computer with the display ( i.e .
your computer ) , and the client may run elsewhere .
Note that if your remote X program also accesses files from a file server , the client is again your program running on the remote computer ( your local computer is n't involved at all in that case , unless it happens to be the file server ) .</tokentext>
<sentencetext>The client applications run on the server?At least in the setups I'm used to, no client program may be run on dedicated server machines (if that is what you mean with "server").
After all, you don't want e.g.
to get all computers unusable because some program runs wild on the central file server.
When running X client software remotely, it's on another "client" machine, that is, on another of those machines not restricted for a certain purpose.
In many cases it's a machine which you could in principle go to and work direcly on it, but why bother if you can as well log in remotely.Now the server is traditionally the side which manages the ressource, and the client is the side which uses the ressource.
With a file server, the server is running on the computer with the files, and the clients are the programs running elsewhere.
And with the X server, the server is running on the computer with the display (i.e.
your computer), and the client may run elsewhere.
Note that if your remote X program also accesses files from a file server, the client is again your program running on the remote computer (your local computer isn't involved at all in that case, unless it happens to be the file server).</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643521</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28645657</id>
	<title>Not exactly innovative.</title>
	<author>wkcole</author>
	<datestamp>1247154480000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>On  MacOS X, the  X server also runs as the logged-in user.

It isn't clear what "nerdyH" means by its last sentence, which doesn't really make a lot of sense. No one who cares about security puts unshielded X Windows sessions on insecure networks, because X Windows data streams between clients (e.g. xterm, Firefox, the Gnome or KDE desktops, or almost anything graphical on any Linux machine) and display servers (the piece that 'serves' a display device to clients) are not encrypted. Remote X Windows sessions are usually kept on private networks or tunneled through SSH. What this protects against is not snooping, but rather against some as-yet-unknown bug in the X server allowing code injection as root. That's a good thing, but it isn't huge. For a system distro, it could be made meaningless by the integrator giving the logged-in user excessive capabilities. To balance my first sentence: Apple provided examples of that in early versions of MacOS X, where file and directory permissions made privilege escalation trivial.</htmltext>
<tokenext>On MacOS X , the X server also runs as the logged-in user .
It is n't clear what " nerdyH " means by its last sentence , which does n't really make a lot of sense .
No one who cares about security puts unshielded X Windows sessions on insecure networks , because X Windows data streams between clients ( e.g .
xterm , Firefox , the Gnome or KDE desktops , or almost anything graphical on any Linux machine ) and display servers ( the piece that 'serves ' a display device to clients ) are not encrypted .
Remote X Windows sessions are usually kept on private networks or tunneled through SSH .
What this protects against is not snooping , but rather against some as-yet-unknown bug in the X server allowing code injection as root .
That 's a good thing , but it is n't huge .
For a system distro , it could be made meaningless by the integrator giving the logged-in user excessive capabilities .
To balance my first sentence : Apple provided examples of that in early versions of MacOS X , where file and directory permissions made privilege escalation trivial .</tokentext>
<sentencetext>On  MacOS X, the  X server also runs as the logged-in user.
It isn't clear what "nerdyH" means by its last sentence, which doesn't really make a lot of sense.
No one who cares about security puts unshielded X Windows sessions on insecure networks, because X Windows data streams between clients (e.g.
xterm, Firefox, the Gnome or KDE desktops, or almost anything graphical on any Linux machine) and display servers (the piece that 'serves' a display device to clients) are not encrypted.
Remote X Windows sessions are usually kept on private networks or tunneled through SSH.
What this protects against is not snooping, but rather against some as-yet-unknown bug in the X server allowing code injection as root.
That's a good thing, but it isn't huge.
For a system distro, it could be made meaningless by the integrator giving the logged-in user excessive capabilities.
To balance my first sentence: Apple provided examples of that in early versions of MacOS X, where file and directory permissions made privilege escalation trivial.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28656323</id>
	<title>Re:Correct me if im wrong</title>
	<author>Anonymous</author>
	<datestamp>1247230620000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>What does that have to do with anything? The article is about not running the <b>X server</b> as root on the local machine. RTFA for enlighenment about why this is good, but for most people it is paranoid. However, sometimes paranoia pays--especially if it doesn't cost anything.

</p><p>Though the article is wrong about this always being an issue. Before 3D accleration, X ran fine as a normal user. (I don't remember why, since rendering 3D is done by the DRI kernel driver) Some setups required X start as root then dropped priv, but I don't see how this makes a difference. In fact, the framebuffer kernel driver was made so programs (such as X) could access the video card without needing root privs.</p></htmltext>
<tokenext>What does that have to do with anything ?
The article is about not running the X server as root on the local machine .
RTFA for enlighenment about why this is good , but for most people it is paranoid .
However , sometimes paranoia pays--especially if it does n't cost anything .
Though the article is wrong about this always being an issue .
Before 3D accleration , X ran fine as a normal user .
( I do n't remember why , since rendering 3D is done by the DRI kernel driver ) Some setups required X start as root then dropped priv , but I do n't see how this makes a difference .
In fact , the framebuffer kernel driver was made so programs ( such as X ) could access the video card without needing root privs .</tokentext>
<sentencetext>What does that have to do with anything?
The article is about not running the X server as root on the local machine.
RTFA for enlighenment about why this is good, but for most people it is paranoid.
However, sometimes paranoia pays--especially if it doesn't cost anything.
Though the article is wrong about this always being an issue.
Before 3D accleration, X ran fine as a normal user.
(I don't remember why, since rendering 3D is done by the DRI kernel driver) Some setups required X start as root then dropped priv, but I don't see how this makes a difference.
In fact, the framebuffer kernel driver was made so programs (such as X) could access the video card without needing root privs.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642235</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28644155</id>
	<title>Re:Remote X servers?</title>
	<author>Anonymous</author>
	<datestamp>1247142420000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>There are occasional situations for having a X server on a 'sever computer', but none of which have needed to EVER be SetUID root anyway.</p><p>The VNC Server implementation on Linux is an X Server that you connect to using the VNC client, for example.  (X window client programs connect to this and it looks, to them, like an ordinary X server.  VNC client programs connect to this same program on the VNC port and it renders the X11 display into the VNC stream visible in the VNC client.)</p><p>Other possiblities: <a href="http://en.wikipedia.org/wiki/Xnest" title="wikipedia.org" rel="nofollow">Xnest</a> [wikipedia.org] - the X window server that is also an X Window client.</p><p>But, since none of these do anything other than TCP IP communications, they've never needed root access ever.  Stupid submitter.</p></htmltext>
<tokenext>There are occasional situations for having a X server on a 'sever computer ' , but none of which have needed to EVER be SetUID root anyway.The VNC Server implementation on Linux is an X Server that you connect to using the VNC client , for example .
( X window client programs connect to this and it looks , to them , like an ordinary X server .
VNC client programs connect to this same program on the VNC port and it renders the X11 display into the VNC stream visible in the VNC client .
) Other possiblities : Xnest [ wikipedia.org ] - the X window server that is also an X Window client.But , since none of these do anything other than TCP IP communications , they 've never needed root access ever .
Stupid submitter .</tokentext>
<sentencetext>There are occasional situations for having a X server on a 'sever computer', but none of which have needed to EVER be SetUID root anyway.The VNC Server implementation on Linux is an X Server that you connect to using the VNC client, for example.
(X window client programs connect to this and it looks, to them, like an ordinary X server.
VNC client programs connect to this same program on the VNC port and it renders the X11 display into the VNC stream visible in the VNC client.
)Other possiblities: Xnest [wikipedia.org] - the X window server that is also an X Window client.But, since none of these do anything other than TCP IP communications, they've never needed root access ever.
Stupid submitter.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642289</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643245</id>
	<title>Re:One of the shortcommings in security</title>
	<author>dgatwood</author>
	<datestamp>1247137980000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Huge.  XFree86, for example, is over 2 million lines of code.  Given that there is an average of one security bug per 1,000 lines of code (according to the DoD), this means that there are likely over 2,000 security bugs in the X server.  That's 2,000 privilege escalation attack vectors that a local user could use to gain root privileges by smashing on the X server in the right way....  If the X server runs as the local user, then all of those bugs become mostly moot (crash risk notwithstanding).</p></htmltext>
<tokenext>Huge .
XFree86 , for example , is over 2 million lines of code .
Given that there is an average of one security bug per 1,000 lines of code ( according to the DoD ) , this means that there are likely over 2,000 security bugs in the X server .
That 's 2,000 privilege escalation attack vectors that a local user could use to gain root privileges by smashing on the X server in the right way.... If the X server runs as the local user , then all of those bugs become mostly moot ( crash risk notwithstanding ) .</tokentext>
<sentencetext>Huge.
XFree86, for example, is over 2 million lines of code.
Given that there is an average of one security bug per 1,000 lines of code (according to the DoD), this means that there are likely over 2,000 security bugs in the X server.
That's 2,000 privilege escalation attack vectors that a local user could use to gain root privileges by smashing on the X server in the right way....  If the X server runs as the local user, then all of those bugs become mostly moot (crash risk notwithstanding).</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642843</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642537</id>
	<title>Any X/Windows Programmer Knows ....</title>
	<author>Anonymous</author>
	<datestamp>1247135040000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Any X/Windows Programmer Knows that the X/Server is on your desktop and the X/Client runs on the server. Duh. <a href="http://en.wikipedia.org/wiki/X\_Window\_System" title="wikipedia.org" rel="nofollow">http://en.wikipedia.org/wiki/X\_Window\_System</a> [wikipedia.org] has a nice diagram on the right hand page.</p><p>See, that $10k X/Windows class my previous, previous, previous employer paid for 15 years ago WAS useful.  Sadly, at the time, we elected to be cross platform and used XVT and Galaxy for development instead of X/Windows (Xlib, X/Motif, X/Intrinsics)</p><p>Anyone else remember the 1993 Jolt Winner Visix/Galaxy?  That GUI builder rocked!</p><p>Anyone wanna buy some "vintage" X/Windows programming manuals?  I have the complete set including 6a and 6b!</p></htmltext>
<tokenext>Any X/Windows Programmer Knows that the X/Server is on your desktop and the X/Client runs on the server .
Duh. http : //en.wikipedia.org/wiki/X \ _Window \ _System [ wikipedia.org ] has a nice diagram on the right hand page.See , that $ 10k X/Windows class my previous , previous , previous employer paid for 15 years ago WAS useful .
Sadly , at the time , we elected to be cross platform and used XVT and Galaxy for development instead of X/Windows ( Xlib , X/Motif , X/Intrinsics ) Anyone else remember the 1993 Jolt Winner Visix/Galaxy ?
That GUI builder rocked ! Anyone wan na buy some " vintage " X/Windows programming manuals ?
I have the complete set including 6a and 6b !</tokentext>
<sentencetext>Any X/Windows Programmer Knows that the X/Server is on your desktop and the X/Client runs on the server.
Duh. http://en.wikipedia.org/wiki/X\_Window\_System [wikipedia.org] has a nice diagram on the right hand page.See, that $10k X/Windows class my previous, previous, previous employer paid for 15 years ago WAS useful.
Sadly, at the time, we elected to be cross platform and used XVT and Galaxy for development instead of X/Windows (Xlib, X/Motif, X/Intrinsics)Anyone else remember the 1993 Jolt Winner Visix/Galaxy?
That GUI builder rocked!Anyone wanna buy some "vintage" X/Windows programming manuals?
I have the complete set including 6a and 6b!</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642245</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643351</id>
	<title>Re:Remote X servers?</title>
	<author>stevied</author>
	<datestamp>1247138460000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>It's a truism: those who do not understand technology are destined to write clueless articles about it, apparently.*<br> <br>

Sorry, feeling particularly bitter and twisted this evening<nobr> <wbr></nobr>..<br> <br>


(* or get appointed CTO)</htmltext>
<tokenext>It 's a truism : those who do not understand technology are destined to write clueless articles about it , apparently .
* Sorry , feeling particularly bitter and twisted this evening . . ( * or get appointed CTO )</tokentext>
<sentencetext>It's a truism: those who do not understand technology are destined to write clueless articles about it, apparently.
* 

Sorry, feeling particularly bitter and twisted this evening .. 


(* or get appointed CTO)</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642289</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28644069</id>
	<title>Re:One of the shortcommings in security</title>
	<author>ls671</author>
	<datestamp>1247142000000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Yep, that's it I guess, changes to hardware management. I have been running Xvnc X server for years as a normal user since it doesn't need to talk to the hardware.</p></htmltext>
<tokenext>Yep , that 's it I guess , changes to hardware management .
I have been running Xvnc X server for years as a normal user since it does n't need to talk to the hardware .</tokentext>
<sentencetext>Yep, that's it I guess, changes to hardware management.
I have been running Xvnc X server for years as a normal user since it doesn't need to talk to the hardware.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642249</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28658547</id>
	<title>Re:Is this right ?</title>
	<author>multi io</author>
	<datestamp>1247306580000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>What's the third level of protection protecting you against?</p></div><p>You could set the permission bits of the graphics device such that only the "xserver" user can directly do the modeswitching and graphics/framebuffer manipulation stuff. This would prevent arbitrary user A from disrupting the display of user B (who is currently running an X session) by randomly resetting the mode of the graphics device. Even if the device were designed to exclusively grant access to the first user who opens it and lock out everyone else, you would still want that first user to be the dedicated "xserver" user rather than some arbitrary user who managed to come first in a multi-user installation.</p></div>
	</htmltext>
<tokenext>What 's the third level of protection protecting you against ? You could set the permission bits of the graphics device such that only the " xserver " user can directly do the modeswitching and graphics/framebuffer manipulation stuff .
This would prevent arbitrary user A from disrupting the display of user B ( who is currently running an X session ) by randomly resetting the mode of the graphics device .
Even if the device were designed to exclusively grant access to the first user who opens it and lock out everyone else , you would still want that first user to be the dedicated " xserver " user rather than some arbitrary user who managed to come first in a multi-user installation .</tokentext>
<sentencetext>What's the third level of protection protecting you against?You could set the permission bits of the graphics device such that only the "xserver" user can directly do the modeswitching and graphics/framebuffer manipulation stuff.
This would prevent arbitrary user A from disrupting the display of user B (who is currently running an X session) by randomly resetting the mode of the graphics device.
Even if the device were designed to exclusively grant access to the first user who opens it and lock out everyone else, you would still want that first user to be the dedicated "xserver" user rather than some arbitrary user who managed to come first in a multi-user installation.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643507</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642283</id>
	<title>Stupid</title>
	<author>jmorris42</author>
	<datestamp>1247134140000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>3</modscore>
	<htmltext><p>&gt; it seems like this could lead to an X-hosting renaissance of sorts,<br>&gt; since you wouldn't be risking the whole system just to open up a<br>&gt; specific user's account to remote X servers.</p><p>What a clueless statement.  Somebody doesn't understand how X works.  The server part that runs SUID root has never ran on the app server.</p><p>What this does do is stop a random remote app getting to root on your workstation but any local exploit of the X server gets them your user account and that can cause a lot of mischief and only needs a different local root exploit to get the rest of the way to 0wn1ng your local desktop machine.</p></htmltext>
<tokenext>&gt; it seems like this could lead to an X-hosting renaissance of sorts , &gt; since you would n't be risking the whole system just to open up a &gt; specific user 's account to remote X servers.What a clueless statement .
Somebody does n't understand how X works .
The server part that runs SUID root has never ran on the app server.What this does do is stop a random remote app getting to root on your workstation but any local exploit of the X server gets them your user account and that can cause a lot of mischief and only needs a different local root exploit to get the rest of the way to 0wn1ng your local desktop machine .</tokentext>
<sentencetext>&gt; it seems like this could lead to an X-hosting renaissance of sorts,&gt; since you wouldn't be risking the whole system just to open up a&gt; specific user's account to remote X servers.What a clueless statement.
Somebody doesn't understand how X works.
The server part that runs SUID root has never ran on the app server.What this does do is stop a random remote app getting to root on your workstation but any local exploit of the X server gets them your user account and that can cause a lot of mischief and only needs a different local root exploit to get the rest of the way to 0wn1ng your local desktop machine.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28647693</id>
	<title>Re:Poor understanding of X</title>
	<author>jonadab</author>
	<datestamp>1247228100000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>&gt; Why don't we force everyone who is already calling<br>&gt; this big enterprise hardware device a server to<br>&gt; also call it a client?<br><br>I don't think that was the thought process that went into it.<br><br>The problem is that the people working on X, including the people managing the project, were all programmers, and they were all thinking from the perspective of the code, rather than from the perspective of the user.  So when they asked themselves which system is providing services, and what services are being provided, they came up with answers like:  the system with the display hardware (something not all computers had back then) is providing a service, the service of displaying a window.<br><br>I agree that the X client/server terminology is backwards, from the perspective of the user.  But they didn't do it deliberately to be weird, obtuse, or annoying.  They just failed to stop and think about the end user who doesn't know or want to know anything about the internal design of the system.<br><br>Most of the people using X and the computers it ran on *were* programmers, so it's kind of understandable.  End users with no programming experience back then were mostly using eight-bit microcomputers with no networking stack (think: DOS 3.0), so such users didn't enter into the thinking too much.  It was another era.  X is a bit of a dinosaur, one of the oldest client/server things still in widespread use.</htmltext>
<tokenext>&gt; Why do n't we force everyone who is already calling &gt; this big enterprise hardware device a server to &gt; also call it a client ? I do n't think that was the thought process that went into it.The problem is that the people working on X , including the people managing the project , were all programmers , and they were all thinking from the perspective of the code , rather than from the perspective of the user .
So when they asked themselves which system is providing services , and what services are being provided , they came up with answers like : the system with the display hardware ( something not all computers had back then ) is providing a service , the service of displaying a window.I agree that the X client/server terminology is backwards , from the perspective of the user .
But they did n't do it deliberately to be weird , obtuse , or annoying .
They just failed to stop and think about the end user who does n't know or want to know anything about the internal design of the system.Most of the people using X and the computers it ran on * were * programmers , so it 's kind of understandable .
End users with no programming experience back then were mostly using eight-bit microcomputers with no networking stack ( think : DOS 3.0 ) , so such users did n't enter into the thinking too much .
It was another era .
X is a bit of a dinosaur , one of the oldest client/server things still in widespread use .</tokentext>
<sentencetext>&gt; Why don't we force everyone who is already calling&gt; this big enterprise hardware device a server to&gt; also call it a client?I don't think that was the thought process that went into it.The problem is that the people working on X, including the people managing the project, were all programmers, and they were all thinking from the perspective of the code, rather than from the perspective of the user.
So when they asked themselves which system is providing services, and what services are being provided, they came up with answers like:  the system with the display hardware (something not all computers had back then) is providing a service, the service of displaying a window.I agree that the X client/server terminology is backwards, from the perspective of the user.
But they didn't do it deliberately to be weird, obtuse, or annoying.
They just failed to stop and think about the end user who doesn't know or want to know anything about the internal design of the system.Most of the people using X and the computers it ran on *were* programmers, so it's kind of understandable.
End users with no programming experience back then were mostly using eight-bit microcomputers with no networking stack (think: DOS 3.0), so such users didn't enter into the thinking too much.
It was another era.
X is a bit of a dinosaur, one of the oldest client/server things still in widespread use.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643755</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643071</id>
	<title>What about the rest of X?</title>
	<author>Anonymous</author>
	<datestamp>1247137200000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Have they fixed the completely backwards and useless clientserver architecture? No? Why the fuck not?</p><p>There is no need for an "X Server" to run at all if you can't disconnect a client from one and add it to another, multicast, etc. Basically, anything Screen can do, if X can't do, it's stupid.</p></htmltext>
<tokenext>Have they fixed the completely backwards and useless clientserver architecture ?
No ? Why the fuck not ? There is no need for an " X Server " to run at all if you ca n't disconnect a client from one and add it to another , multicast , etc .
Basically , anything Screen can do , if X ca n't do , it 's stupid .</tokentext>
<sentencetext>Have they fixed the completely backwards and useless clientserver architecture?
No? Why the fuck not?There is no need for an "X Server" to run at all if you can't disconnect a client from one and add it to another, multicast, etc.
Basically, anything Screen can do, if X can't do, it's stupid.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28645875</id>
	<title>Mac OS X does this too !</title>
	<author>Anonymous</author>
	<datestamp>1247159160000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Huh ?   I think Mac OS X does this too.<br>I just started an X-windows app on my Mac (10.5.7).<br>There are 3 X processes with sequential PIDs -- xinit, Xquartz, and X11.<br>All show the user as me, NOT root.</p></htmltext>
<tokenext>Huh ?
I think Mac OS X does this too.I just started an X-windows app on my Mac ( 10.5.7 ) .There are 3 X processes with sequential PIDs -- xinit , Xquartz , and X11.All show the user as me , NOT root .</tokentext>
<sentencetext>Huh ?
I think Mac OS X does this too.I just started an X-windows app on my Mac (10.5.7).There are 3 X processes with sequential PIDs -- xinit, Xquartz, and X11.All show the user as me, NOT root.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28647601</id>
	<title>Re:Remote X servers?</title>
	<author>bostei2008</author>
	<datestamp>1247226540000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>There is one exotic usage I have sometimes, if you want to give someone (eg an IT support person) access to your machine.</p><p>Just set the DISPLAY to his local box and let e.g. a root xterm pop up on his box. That way you don't have to give him the root password.</p><p>(of course there is nothing secure about this, it is only convenience)</p></htmltext>
<tokenext>There is one exotic usage I have sometimes , if you want to give someone ( eg an IT support person ) access to your machine.Just set the DISPLAY to his local box and let e.g .
a root xterm pop up on his box .
That way you do n't have to give him the root password .
( of course there is nothing secure about this , it is only convenience )</tokentext>
<sentencetext>There is one exotic usage I have sometimes, if you want to give someone (eg an IT support person) access to your machine.Just set the DISPLAY to his local box and let e.g.
a root xterm pop up on his box.
That way you don't have to give him the root password.
(of course there is nothing secure about this, it is only convenience)</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642289</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642129</id>
	<title>frost nixon</title>
	<author>Anonymous</author>
	<datestamp>1247133420000</datestamp>
	<modclass>Funny</modclass>
	<modscore>1</modscore>
	<htmltext><p>frost nixon</p></htmltext>
<tokenext>frost nixon</tokentext>
<sentencetext>frost nixon</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643445</id>
	<title>Re:IMHO</title>
	<author>Anonymous</author>
	<datestamp>1247138820000</datestamp>
	<modclass>Troll</modclass>
	<modscore>0</modscore>
	<htmltext>Yes, it's one of the things that happens when you elect an OpenBSD developer (Matthieu Herrb, who prototyped this two years ago) to the X.org steering committee.  Thank $DEITY it's not just Linux developers working on X.org.</htmltext>
<tokenext>Yes , it 's one of the things that happens when you elect an OpenBSD developer ( Matthieu Herrb , who prototyped this two years ago ) to the X.org steering committee .
Thank $ DEITY it 's not just Linux developers working on X.org .</tokentext>
<sentencetext>Yes, it's one of the things that happens when you elect an OpenBSD developer (Matthieu Herrb, who prototyped this two years ago) to the X.org steering committee.
Thank $DEITY it's not just Linux developers working on X.org.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642131</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28646093</id>
	<title>Re:Poor understanding of X</title>
	<author>Anonymous</author>
	<datestamp>1247162220000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>
For the way that X works it's correct.
</p><p>
But, X is the wrong way around, you should have a client running on the local machine that connects to the remote machine and provides it with a remote display. Like telnet or ssh or VNC or MS Remote desktop or Citrix seamless windows or "ssh -X"!
</p><p>
In fact X is that ONLY one that puts the server next to the display with the security implications inherent in that.</p></htmltext>
<tokenext>For the way that X works it 's correct .
But , X is the wrong way around , you should have a client running on the local machine that connects to the remote machine and provides it with a remote display .
Like telnet or ssh or VNC or MS Remote desktop or Citrix seamless windows or " ssh -X " !
In fact X is that ONLY one that puts the server next to the display with the security implications inherent in that .</tokentext>
<sentencetext>
For the way that X works it's correct.
But, X is the wrong way around, you should have a client running on the local machine that connects to the remote machine and provides it with a remote display.
Like telnet or ssh or VNC or MS Remote desktop or Citrix seamless windows or "ssh -X"!
In fact X is that ONLY one that puts the server next to the display with the security implications inherent in that.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642245</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642231</id>
	<title>X Hosting?</title>
	<author>Microlith</author>
	<datestamp>1247133900000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>4</modscore>
	<htmltext><p>I'm not sure I grasp the concept of X Hosting, and how this non-SUID server would help that.</p><p>X is not required to be running on the remote system for X11 forwarding over SSH. Even running an Xvnc server doesn't require it to be SUID. This seems to be entirely a local security gain for users who will be interacting with local graphics hardware.</p></htmltext>
<tokenext>I 'm not sure I grasp the concept of X Hosting , and how this non-SUID server would help that.X is not required to be running on the remote system for X11 forwarding over SSH .
Even running an Xvnc server does n't require it to be SUID .
This seems to be entirely a local security gain for users who will be interacting with local graphics hardware .</tokentext>
<sentencetext>I'm not sure I grasp the concept of X Hosting, and how this non-SUID server would help that.X is not required to be running on the remote system for X11 forwarding over SSH.
Even running an Xvnc server doesn't require it to be SUID.
This seems to be entirely a local security gain for users who will be interacting with local graphics hardware.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643179</id>
	<title>Network drivers</title>
	<author>Chemisor</author>
	<datestamp>1247137740000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Funny how somebody has to write network card drivers for every OS your browser runs on. It's a wonder why nobody has considered putting those drivers in the browser instead.</p></htmltext>
<tokenext>Funny how somebody has to write network card drivers for every OS your browser runs on .
It 's a wonder why nobody has considered putting those drivers in the browser instead .</tokentext>
<sentencetext>Funny how somebody has to write network card drivers for every OS your browser runs on.
It's a wonder why nobody has considered putting those drivers in the browser instead.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642883</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28647567</id>
	<title>Why not take it one step further?</title>
	<author>Anonymous</author>
	<datestamp>1247225940000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext>Since there was never any reason for the X server and the clients to need to use the same uid, why move the X server from root to the logged in user? It could as well be moved from root to a uid dedicated to the X server. Then you would get another level of separation, at essentially no price. (There is of course a caveat in case you have multiple X servers running at the same time, but that could be solved by allocating a uid per X server).<br> <br>

Does graphics mode switching inside the kernel mean that we can soon expect switching between VTs to work even if the X server is locked up? Or is the keyboard handling still going to prevent that? (Doing the switching from a remote login would work around the keyboard issue).</htmltext>
<tokenext>Since there was never any reason for the X server and the clients to need to use the same uid , why move the X server from root to the logged in user ?
It could as well be moved from root to a uid dedicated to the X server .
Then you would get another level of separation , at essentially no price .
( There is of course a caveat in case you have multiple X servers running at the same time , but that could be solved by allocating a uid per X server ) .
Does graphics mode switching inside the kernel mean that we can soon expect switching between VTs to work even if the X server is locked up ?
Or is the keyboard handling still going to prevent that ?
( Doing the switching from a remote login would work around the keyboard issue ) .</tokentext>
<sentencetext>Since there was never any reason for the X server and the clients to need to use the same uid, why move the X server from root to the logged in user?
It could as well be moved from root to a uid dedicated to the X server.
Then you would get another level of separation, at essentially no price.
(There is of course a caveat in case you have multiple X servers running at the same time, but that could be solved by allocating a uid per X server).
Does graphics mode switching inside the kernel mean that we can soon expect switching between VTs to work even if the X server is locked up?
Or is the keyboard handling still going to prevent that?
(Doing the switching from a remote login would work around the keyboard issue).</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643319</id>
	<title>Have you used Moblin?</title>
	<author>SlickSlacker</author>
	<datestamp>1247138280000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>5</modscore>
	<htmltext>I just loaded it on my Eee PC and it turns the machine into a kiosk. Very unappealing for anyone who actually wants to use their netbook.

Its very flashy and friendly if all you do is check your email and browse the web though.</htmltext>
<tokenext>I just loaded it on my Eee PC and it turns the machine into a kiosk .
Very unappealing for anyone who actually wants to use their netbook .
Its very flashy and friendly if all you do is check your email and browse the web though .</tokentext>
<sentencetext>I just loaded it on my Eee PC and it turns the machine into a kiosk.
Very unappealing for anyone who actually wants to use their netbook.
Its very flashy and friendly if all you do is check your email and browse the web though.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642989</id>
	<title>Re:Remote X servers?</title>
	<author>fikx</author>
	<datestamp>1247136840000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>you could conceivably have devices that use a common PC for their display, like a router whose config screen goes to the PC via X instead of a web app like today.... (pop-ups and such work much better this way than http). Or how about your TV or a video wall being a server for multiple apps? <br>
Not real compelling uses I know, but starting to think in the right direction if we don't have to worry about rooting the machine by playing with these ideas...</htmltext>
<tokenext>you could conceivably have devices that use a common PC for their display , like a router whose config screen goes to the PC via X instead of a web app like today.... ( pop-ups and such work much better this way than http ) .
Or how about your TV or a video wall being a server for multiple apps ?
Not real compelling uses I know , but starting to think in the right direction if we do n't have to worry about rooting the machine by playing with these ideas.. .</tokentext>
<sentencetext>you could conceivably have devices that use a common PC for their display, like a router whose config screen goes to the PC via X instead of a web app like today.... (pop-ups and such work much better this way than http).
Or how about your TV or a video wall being a server for multiple apps?
Not real compelling uses I know, but starting to think in the right direction if we don't have to worry about rooting the machine by playing with these ideas...</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642289</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28645111</id>
	<title>Re:Have you used Moblin?</title>
	<author>jhfry</author>
	<datestamp>1247149500000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Since you have tried it, can you answer a couple of questions.</p><p>1 - can you open a shell/terminal window?<br>2 - can you create custom application launchers</p><p>If so, how is it so unappealing.  Perhaps you just need to customize it a little to make your needs more accessable.  If not, then you have saved me the effort of giving it a try.</p></htmltext>
<tokenext>Since you have tried it , can you answer a couple of questions.1 - can you open a shell/terminal window ? 2 - can you create custom application launchersIf so , how is it so unappealing .
Perhaps you just need to customize it a little to make your needs more accessable .
If not , then you have saved me the effort of giving it a try .</tokentext>
<sentencetext>Since you have tried it, can you answer a couple of questions.1 - can you open a shell/terminal window?2 - can you create custom application launchersIf so, how is it so unappealing.
Perhaps you just need to customize it a little to make your needs more accessable.
If not, then you have saved me the effort of giving it a try.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643319</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642227</id>
	<title>Confused article.</title>
	<author>Anonymous</author>
	<datestamp>1247133840000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>5</modscore>
	<htmltext><p><div class="quote"><p>Linux's SUID X server problem has been kind of a "dirty little secret" for many years. Most modern distributions include a few crude workarounds, such as dimming the display and then freezing X whenever the user is asked to type in a root password. Getting rid of the SUID bit altogether ought to make netbooks powered by Moblin technology much more difficult to snoop on over the network.</p></div><p>This does not make sense. Graphical <tt>sudo</tt> wrappers have nothing to do with X being suid, and neither does anything to do with network traffic.</p><p><div class="quote"><p>It seems likely that with NRX technology, you could run X apps over a network with much less risk to the app server (the system that runs the "X client" component, in the backwards terminology of X).</p></div><p>This is actually backwards, the only place there's less risk is for the system that the X server is running on.</p></div>
	</htmltext>
<tokenext>Linux 's SUID X server problem has been kind of a " dirty little secret " for many years .
Most modern distributions include a few crude workarounds , such as dimming the display and then freezing X whenever the user is asked to type in a root password .
Getting rid of the SUID bit altogether ought to make netbooks powered by Moblin technology much more difficult to snoop on over the network.This does not make sense .
Graphical sudo wrappers have nothing to do with X being suid , and neither does anything to do with network traffic.It seems likely that with NRX technology , you could run X apps over a network with much less risk to the app server ( the system that runs the " X client " component , in the backwards terminology of X ) .This is actually backwards , the only place there 's less risk is for the system that the X server is running on .</tokentext>
<sentencetext>Linux's SUID X server problem has been kind of a "dirty little secret" for many years.
Most modern distributions include a few crude workarounds, such as dimming the display and then freezing X whenever the user is asked to type in a root password.
Getting rid of the SUID bit altogether ought to make netbooks powered by Moblin technology much more difficult to snoop on over the network.This does not make sense.
Graphical sudo wrappers have nothing to do with X being suid, and neither does anything to do with network traffic.It seems likely that with NRX technology, you could run X apps over a network with much less risk to the app server (the system that runs the "X client" component, in the backwards terminology of X).This is actually backwards, the only place there's less risk is for the system that the X server is running on.
	</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28647623</id>
	<title>Re:Poor understanding of X</title>
	<author>jonadab</author>
	<datestamp>1247226780000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>&gt; What exactly is backwards about this? X<br>&gt; is the server, and the apps are clients.<br><br>It seems backwards because we usually think from a user's perspective.<br><br>The X terminology can be viewed as correct and forward, because the server is a system that provides services of some kind, and the client as the system where they are used.  With X, the terminology is set up the way it us based on the understanding that the server provides services not to the user, but to applications:  services like "show your UI to the user" and "get input from the user".<br><br>But we usually think not from the perspective of the application code, but from the perspective of the user, and so we usually think of a system that provides services to the *user* as the server, and the system where the user sits and uses them as the client.  Viewed that way, the remote system that provides applications that do stuff would seem to be the server, and the system where the user uses the services would seem to be the client.  That's how it works for an application server, for instance:  the apps run on the server, but you use them on the client, with the client's keyboard, mouse, and monitor.  A print server or file server is similar:  the printer driver or filesystem runs on the server, and it's used from the client when the user prints something or saves a file or whatever.  MS Terminal Server works this way also:  the apps run on the server, and the user connects from the client (via rdp).<br><br>With most client-server things, then, the terminology is user centric.  With X11, the terminology is application-centric.<br><br>So the reason X terminology feels backwards is because most people have an easier time identifying with the user than with the computer program that the user is using.</htmltext>
<tokenext>&gt; What exactly is backwards about this ?
X &gt; is the server , and the apps are clients.It seems backwards because we usually think from a user 's perspective.The X terminology can be viewed as correct and forward , because the server is a system that provides services of some kind , and the client as the system where they are used .
With X , the terminology is set up the way it us based on the understanding that the server provides services not to the user , but to applications : services like " show your UI to the user " and " get input from the user " .But we usually think not from the perspective of the application code , but from the perspective of the user , and so we usually think of a system that provides services to the * user * as the server , and the system where the user sits and uses them as the client .
Viewed that way , the remote system that provides applications that do stuff would seem to be the server , and the system where the user uses the services would seem to be the client .
That 's how it works for an application server , for instance : the apps run on the server , but you use them on the client , with the client 's keyboard , mouse , and monitor .
A print server or file server is similar : the printer driver or filesystem runs on the server , and it 's used from the client when the user prints something or saves a file or whatever .
MS Terminal Server works this way also : the apps run on the server , and the user connects from the client ( via rdp ) .With most client-server things , then , the terminology is user centric .
With X11 , the terminology is application-centric.So the reason X terminology feels backwards is because most people have an easier time identifying with the user than with the computer program that the user is using .</tokentext>
<sentencetext>&gt; What exactly is backwards about this?
X&gt; is the server, and the apps are clients.It seems backwards because we usually think from a user's perspective.The X terminology can be viewed as correct and forward, because the server is a system that provides services of some kind, and the client as the system where they are used.
With X, the terminology is set up the way it us based on the understanding that the server provides services not to the user, but to applications:  services like "show your UI to the user" and "get input from the user".But we usually think not from the perspective of the application code, but from the perspective of the user, and so we usually think of a system that provides services to the *user* as the server, and the system where the user sits and uses them as the client.
Viewed that way, the remote system that provides applications that do stuff would seem to be the server, and the system where the user uses the services would seem to be the client.
That's how it works for an application server, for instance:  the apps run on the server, but you use them on the client, with the client's keyboard, mouse, and monitor.
A print server or file server is similar:  the printer driver or filesystem runs on the server, and it's used from the client when the user prints something or saves a file or whatever.
MS Terminal Server works this way also:  the apps run on the server, and the user connects from the client (via rdp).With most client-server things, then, the terminology is user centric.
With X11, the terminology is application-centric.So the reason X terminology feels backwards is because most people have an easier time identifying with the user than with the computer program that the user is using.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642245</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642843</id>
	<title>Re:One of the shortcommings in security</title>
	<author>Hatta</author>
	<datestamp>1247136180000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext><p>How big of a security problem was this?  I haven't seen a linux system with open ports for X in 10 years. Anyone who wants to use remote X just uses ssh -X, it's easier to set up than xhost anyway.</p></htmltext>
<tokenext>How big of a security problem was this ?
I have n't seen a linux system with open ports for X in 10 years .
Anyone who wants to use remote X just uses ssh -X , it 's easier to set up than xhost anyway .</tokentext>
<sentencetext>How big of a security problem was this?
I haven't seen a linux system with open ports for X in 10 years.
Anyone who wants to use remote X just uses ssh -X, it's easier to set up than xhost anyway.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642189</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28644129</id>
	<title>Re:X Hosting?</title>
	<author>ls671</author>
	<datestamp>1247142360000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>&gt; This seems to be entirely a local security gain for users who will be interacting with local graphics hardware.</p><p>correct !!!</p></htmltext>
<tokenext>&gt; This seems to be entirely a local security gain for users who will be interacting with local graphics hardware.correct ! !
!</tokentext>
<sentencetext>&gt; This seems to be entirely a local security gain for users who will be interacting with local graphics hardware.correct !!
!</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642231</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28644709</id>
	<title>Re:Have you used Moblin?</title>
	<author>spikeb</author>
	<datestamp>1247146200000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext>wish it ran on eee 701 models, perfect for that heh</htmltext>
<tokenext>wish it ran on eee 701 models , perfect for that heh</tokentext>
<sentencetext>wish it ran on eee 701 models, perfect for that heh</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643319</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642333</id>
	<title>Re:Remote X servers?</title>
	<author>Anonymous</author>
	<datestamp>1247134380000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Submitter was confused about the role of X server. For the uninformed, the X "server" runs locally on the computer, and remote "clients" (e.g. executables) run on the local server.</p></htmltext>
<tokenext>Submitter was confused about the role of X server .
For the uninformed , the X " server " runs locally on the computer , and remote " clients " ( e.g .
executables ) run on the local server .</tokentext>
<sentencetext>Submitter was confused about the role of X server.
For the uninformed, the X "server" runs locally on the computer, and remote "clients" (e.g.
executables) run on the local server.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642289</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28648983</id>
	<title>Re:Poor understanding of X</title>
	<author>Lord Bitman</author>
	<datestamp>1247237520000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Because in order for the Client-Server architecture to be useful, a user expects the X App to be a constantly-running server, to which a Display client can connect in order to view it. Display disconnections should be everyday events, not errors, and multiple display connections should be possible without ugly workarounds.</p><p>Think about it: The client (XApp) initiates the conversation with the server (Interface, including the Monitor, Mouse, and Keyboard). The server tells the client what to do, and the client sends replies (what to draw) back to the server. That's backwards.</p></htmltext>
<tokenext>Because in order for the Client-Server architecture to be useful , a user expects the X App to be a constantly-running server , to which a Display client can connect in order to view it .
Display disconnections should be everyday events , not errors , and multiple display connections should be possible without ugly workarounds.Think about it : The client ( XApp ) initiates the conversation with the server ( Interface , including the Monitor , Mouse , and Keyboard ) .
The server tells the client what to do , and the client sends replies ( what to draw ) back to the server .
That 's backwards .</tokentext>
<sentencetext>Because in order for the Client-Server architecture to be useful, a user expects the X App to be a constantly-running server, to which a Display client can connect in order to view it.
Display disconnections should be everyday events, not errors, and multiple display connections should be possible without ugly workarounds.Think about it: The client (XApp) initiates the conversation with the server (Interface, including the Monitor, Mouse, and Keyboard).
The server tells the client what to do, and the client sends replies (what to draw) back to the server.
That's backwards.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642245</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643317</id>
	<title>Re:Poor understanding of X</title>
	<author>stevied</author>
	<datestamp>1247138280000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext>It's backwards to the vast majority of people who never used the network capabilities of X.<br> <br>

Sadly, even when you demonstrate it in these days of Terminal Services / Remote Desktop / VNC, people aren't impressed. The fact that it worked just as well 20 years ago (when it was in fact more use - you generally had a thinner, dumber X terminal, and a choice of minis / servers to do your computation on) passes them by<nobr> <wbr></nobr>..</htmltext>
<tokenext>It 's backwards to the vast majority of people who never used the network capabilities of X . Sadly , even when you demonstrate it in these days of Terminal Services / Remote Desktop / VNC , people are n't impressed .
The fact that it worked just as well 20 years ago ( when it was in fact more use - you generally had a thinner , dumber X terminal , and a choice of minis / servers to do your computation on ) passes them by . .</tokentext>
<sentencetext>It's backwards to the vast majority of people who never used the network capabilities of X. 

Sadly, even when you demonstrate it in these days of Terminal Services / Remote Desktop / VNC, people aren't impressed.
The fact that it worked just as well 20 years ago (when it was in fact more use - you generally had a thinner, dumber X terminal, and a choice of minis / servers to do your computation on) passes them by ..</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642245</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642131</id>
	<title>IMHO</title>
	<author>rodgster</author>
	<datestamp>1247133420000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>This is something that is long overdue.</p></htmltext>
<tokenext>This is something that is long overdue .</tokentext>
<sentencetext>This is something that is long overdue.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28644393</id>
	<title>Re:Poor understanding of X</title>
	<author>Anonymous</author>
	<datestamp>1247143680000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>All is clear if we understand what it is serving.  X is serving the display to your eyes.  Web-server is serving pages to your web-client/browser.</p></htmltext>
<tokenext>All is clear if we understand what it is serving .
X is serving the display to your eyes .
Web-server is serving pages to your web-client/browser .</tokentext>
<sentencetext>All is clear if we understand what it is serving.
X is serving the display to your eyes.
Web-server is serving pages to your web-client/browser.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642245</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28647167</id>
	<title>Re:Stupid</title>
	<author>maxwell demon</author>
	<datestamp>1247219940000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><blockquote><div><p>What this does do is stop a random remote app getting to root on your workstation but any local exploit of the X server gets them your user account and that can cause a lot of mischief and only needs a different local root exploit to get the rest of the way to 0wn1ng your local desktop machine.</p></div></blockquote><p>To <em>your</em> user account? I'd expect the non-root X server to usually run on <em>its own</em> user account.</p></div>
	</htmltext>
<tokenext>What this does do is stop a random remote app getting to root on your workstation but any local exploit of the X server gets them your user account and that can cause a lot of mischief and only needs a different local root exploit to get the rest of the way to 0wn1ng your local desktop machine.To your user account ?
I 'd expect the non-root X server to usually run on its own user account .</tokentext>
<sentencetext>What this does do is stop a random remote app getting to root on your workstation but any local exploit of the X server gets them your user account and that can cause a lot of mischief and only needs a different local root exploit to get the rest of the way to 0wn1ng your local desktop machine.To your user account?
I'd expect the non-root X server to usually run on its own user account.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642283</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642249</id>
	<title>Re:One of the shortcommings in security</title>
	<author>Timothy Brownawell</author>
	<datestamp>1247134020000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>4</modscore>
	<htmltext><p><div class="quote"><p>Just got fixed by this. To be honest, I don't know how they've done it, but I know this is a good thing. This will make X and linux more secure and I can only applaud that.</p></div><p>I think what is basically boils down to, is that instead of X talking to the hardware directly it now talks to a file under<nobr> <wbr></nobr>/dev/ just like everything else.</p></div>
	</htmltext>
<tokenext>Just got fixed by this .
To be honest , I do n't know how they 've done it , but I know this is a good thing .
This will make X and linux more secure and I can only applaud that.I think what is basically boils down to , is that instead of X talking to the hardware directly it now talks to a file under /dev/ just like everything else .</tokentext>
<sentencetext>Just got fixed by this.
To be honest, I don't know how they've done it, but I know this is a good thing.
This will make X and linux more secure and I can only applaud that.I think what is basically boils down to, is that instead of X talking to the hardware directly it now talks to a file under /dev/ just like everything else.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642189</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643055</id>
	<title>Re:Remote X servers?</title>
	<author>Anonymous</author>
	<datestamp>1247137140000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p><div class="quote"><p>remote clients run on the local server.</p></div><p>Well, you've got to admit that this IS a bit confusing...</p></div>
	</htmltext>
<tokenext>remote clients run on the local server.Well , you 've got to admit that this IS a bit confusing.. .</tokentext>
<sentencetext>remote clients run on the local server.Well, you've got to admit that this IS a bit confusing...
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642333</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28644041</id>
	<title>Re:Have you used Moblin?</title>
	<author>Calithulu</author>
	<datestamp>1247141880000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>I'll be doing this tonight. I want something light weight and easy to use for web browsing and email when guests come over or for when I travel.</htmltext>
<tokenext>I 'll be doing this tonight .
I want something light weight and easy to use for web browsing and email when guests come over or for when I travel .</tokentext>
<sentencetext>I'll be doing this tonight.
I want something light weight and easy to use for web browsing and email when guests come over or for when I travel.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643319</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642225</id>
	<title>Re:frost nixon</title>
	<author>Philip K Dickhead</author>
	<datestamp>1247133840000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><a href="http://www.cs.unm.edu/~ameoba/2004-07-28-140732\_2048x768\_scrot.png" title="unm.edu" rel="nofollow">Xroaches</a> [unm.edu] just lost a lot of value.</p></htmltext>
<tokenext>Xroaches [ unm.edu ] just lost a lot of value .</tokentext>
<sentencetext>Xroaches [unm.edu] just lost a lot of value.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642129</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28650371</id>
	<title>The Really Cool Thing</title>
	<author>Anonymous</author>
	<datestamp>1247242920000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Besides the fact that it's just cleaner to have the X server running as non-root, this opens the door for some interesting experiments. Want to experiment with how responsibilities are distributed within the desktop environment? This is now easier than ever.</p><p>For example, what about a plugin system in the X server that allows you to run e.g. compositing and window manager in the server, thus eliminating a whole crapload of race condition headaches? Previously that would have been insanity, and it's still not clear that it's a very good idea. But now it's at least possible.</p></htmltext>
<tokenext>Besides the fact that it 's just cleaner to have the X server running as non-root , this opens the door for some interesting experiments .
Want to experiment with how responsibilities are distributed within the desktop environment ?
This is now easier than ever.For example , what about a plugin system in the X server that allows you to run e.g .
compositing and window manager in the server , thus eliminating a whole crapload of race condition headaches ?
Previously that would have been insanity , and it 's still not clear that it 's a very good idea .
But now it 's at least possible .</tokentext>
<sentencetext>Besides the fact that it's just cleaner to have the X server running as non-root, this opens the door for some interesting experiments.
Want to experiment with how responsibilities are distributed within the desktop environment?
This is now easier than ever.For example, what about a plugin system in the X server that allows you to run e.g.
compositing and window manager in the server, thus eliminating a whole crapload of race condition headaches?
Previously that would have been insanity, and it's still not clear that it's a very good idea.
But now it's at least possible.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643991</id>
	<title>Re:Remote X servers?</title>
	<author>not-my-real-name</author>
	<datestamp>1247141460000</datestamp>
	<modclass>None</modclass>
	<modscore>2</modscore>
	<htmltext><p>A remote X-server is what runs the video wall.  I can run the client program on my workstation and have it display on the wall.</p><p>Now, I just need to install the video wall in my underground lair.</p></htmltext>
<tokenext>A remote X-server is what runs the video wall .
I can run the client program on my workstation and have it display on the wall.Now , I just need to install the video wall in my underground lair .</tokentext>
<sentencetext>A remote X-server is what runs the video wall.
I can run the client program on my workstation and have it display on the wall.Now, I just need to install the video wall in my underground lair.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642289</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642765</id>
	<title>Been waiting for this</title>
	<author>Anonymous</author>
	<datestamp>1247135940000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>X is a large, clutterd and complex system that has no business running as root. It is good to see they finally managed to get away from that implementation, even if it adds a bit more complexity.</p></htmltext>
<tokenext>X is a large , clutterd and complex system that has no business running as root .
It is good to see they finally managed to get away from that implementation , even if it adds a bit more complexity .</tokentext>
<sentencetext>X is a large, clutterd and complex system that has no business running as root.
It is good to see they finally managed to get away from that implementation, even if it adds a bit more complexity.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28644285</id>
	<title>Re:Two questions:</title>
	<author>Anonymous</author>
	<datestamp>1247143140000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><blockquote><div><p>2. If multiple users login, will each user get their own instance of X server? This seems like overkill...</p></div></blockquote><p>That's the way it works already.  And why would it be a problem.  Both X server processes will share the same (read-only) memory pages of program code.  The stuff they don't share is the data, which is different for different "desktops" anyway.  And users sharing a single instance of the x-server would be a security nightmare anyway.  I think it would be rather trivial to install an X-based keyboard monitoring application that would log keyboard activity for whomever was the active user.</p></div>
	</htmltext>
<tokenext>2 .
If multiple users login , will each user get their own instance of X server ?
This seems like overkill...That 's the way it works already .
And why would it be a problem .
Both X server processes will share the same ( read-only ) memory pages of program code .
The stuff they do n't share is the data , which is different for different " desktops " anyway .
And users sharing a single instance of the x-server would be a security nightmare anyway .
I think it would be rather trivial to install an X-based keyboard monitoring application that would log keyboard activity for whomever was the active user .</tokentext>
<sentencetext>2.
If multiple users login, will each user get their own instance of X server?
This seems like overkill...That's the way it works already.
And why would it be a problem.
Both X server processes will share the same (read-only) memory pages of program code.
The stuff they don't share is the data, which is different for different "desktops" anyway.
And users sharing a single instance of the x-server would be a security nightmare anyway.
I think it would be rather trivial to install an X-based keyboard monitoring application that would log keyboard activity for whomever was the active user.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642307</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643521</id>
	<title>Re:Poor understanding of X</title>
	<author>TheRaven64</author>
	<datestamp>1247139120000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>It's backwards because the client applications run on the server, and the server runs on the client machine.</htmltext>
<tokenext>It 's backwards because the client applications run on the server , and the server runs on the client machine .</tokentext>
<sentencetext>It's backwards because the client applications run on the server, and the server runs on the client machine.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642245</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28644185</id>
	<title>Re:Correct me if im wrong</title>
	<author>ls671</author>
	<datestamp>1247142660000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>&gt; But running apps remotely and having them display on a local X server \_NEVER\_ required root access of any kind on the remote server....</p><p>entirely correct, the X server is the component talking to the video card.</p></htmltext>
<tokenext>&gt; But running apps remotely and having them display on a local X server \ _NEVER \ _ required root access of any kind on the remote server....entirely correct , the X server is the component talking to the video card .</tokentext>
<sentencetext>&gt; But running apps remotely and having them display on a local X server \_NEVER\_ required root access of any kind on the remote server....entirely correct, the X server is the component talking to the video card.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642235</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643857</id>
	<title>Re:Poor understanding of X   OT/Reversibles?</title>
	<author>davidsyes</author>
	<datestamp>1247140740000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Technically off-topic, but to use the one of words as is, and another replaced by its analog...</p><p>&gt;"The client tells the server what to do."</p><p>Imagine if history were revised such that "The SLAVE tells the MASTER what to do.", without reversing the definition of "master" and "servant" (well, unless it's done by Depeche Mode...). The world would be farther along, maybe.</p></htmltext>
<tokenext>Technically off-topic , but to use the one of words as is , and another replaced by its analog... &gt; " The client tells the server what to do .
" Imagine if history were revised such that " The SLAVE tells the MASTER what to do .
" , without reversing the definition of " master " and " servant " ( well , unless it 's done by Depeche Mode... ) .
The world would be farther along , maybe .</tokentext>
<sentencetext>Technically off-topic, but to use the one of words as is, and another replaced by its analog...&gt;"The client tells the server what to do.
"Imagine if history were revised such that "The SLAVE tells the MASTER what to do.
", without reversing the definition of "master" and "servant" (well, unless it's done by Depeche Mode...).
The world would be farther along, maybe.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642245</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28647527</id>
	<title>Re:Not exactly innovative.</title>
	<author>kasperd</author>
	<datestamp>1247225160000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><blockquote><div><p>On MacOS X, the X server also runs as the logged-in user.</p></div></blockquote><p>That isn't really a valid comparison, since Mac OS X doesn't run X natively. You can run an X server as an application, but that X server doesn't drive any hardware, it is just yet another application using the Mac OS X graphics system (which is otherwise incompatible with all other operating systems known to me). It's just like running an X server on Windows or Xnest on something else (I think Xnest is able to make a few shortcuts because it happens to be implementing X on top of X, but it still doesn't need special privileges since it isn't controlling the hardware itself).</p></div>
	</htmltext>
<tokenext>On MacOS X , the X server also runs as the logged-in user.That is n't really a valid comparison , since Mac OS X does n't run X natively .
You can run an X server as an application , but that X server does n't drive any hardware , it is just yet another application using the Mac OS X graphics system ( which is otherwise incompatible with all other operating systems known to me ) .
It 's just like running an X server on Windows or Xnest on something else ( I think Xnest is able to make a few shortcuts because it happens to be implementing X on top of X , but it still does n't need special privileges since it is n't controlling the hardware itself ) .</tokentext>
<sentencetext>On MacOS X, the X server also runs as the logged-in user.That isn't really a valid comparison, since Mac OS X doesn't run X natively.
You can run an X server as an application, but that X server doesn't drive any hardware, it is just yet another application using the Mac OS X graphics system (which is otherwise incompatible with all other operating systems known to me).
It's just like running an X server on Windows or Xnest on something else (I think Xnest is able to make a few shortcuts because it happens to be implementing X on top of X, but it still doesn't need special privileges since it isn't controlling the hardware itself).
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28645657</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642289</id>
	<title>Remote X servers?</title>
	<author>Anonymous</author>
	<datestamp>1247134140000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>3</modscore>
	<htmltext>I am a bit confused by the submitter's comment about remote X servers.  I understand the appeal of remote X clients: I can, e.g., log into a big fast machine and run MATLAB (the X client) there while interacting with the window on my less-powerful laptop (which runs the X server).  But what's the point of a remote X server?  Why would anyone want to run an X server (software sense of 'server') on a server (hardware sense of 'server')?</htmltext>
<tokenext>I am a bit confused by the submitter 's comment about remote X servers .
I understand the appeal of remote X clients : I can , e.g. , log into a big fast machine and run MATLAB ( the X client ) there while interacting with the window on my less-powerful laptop ( which runs the X server ) .
But what 's the point of a remote X server ?
Why would anyone want to run an X server ( software sense of 'server ' ) on a server ( hardware sense of 'server ' ) ?</tokentext>
<sentencetext>I am a bit confused by the submitter's comment about remote X servers.
I understand the appeal of remote X clients: I can, e.g., log into a big fast machine and run MATLAB (the X client) there while interacting with the window on my less-powerful laptop (which runs the X server).
But what's the point of a remote X server?
Why would anyone want to run an X server (software sense of 'server') on a server (hardware sense of 'server')?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28663469</id>
	<title>Re:Remote X servers?</title>
	<author>Anonymous</author>
	<datestamp>1247308740000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>google LTSP</p><p>cheers</p></htmltext>
<tokenext>google LTSPcheers</tokentext>
<sentencetext>google LTSPcheers</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642289</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28645569</id>
	<title>Re:Graphics drivers</title>
	<author>bXTr</author>
	<datestamp>1247153700000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>That would be great if you're running Linux, but not *BSD or *nix. People seem to forget that X is not a Linux-only application.</htmltext>
<tokenext>That would be great if you 're running Linux , but not * BSD or * nix .
People seem to forget that X is not a Linux-only application .</tokentext>
<sentencetext>That would be great if you're running Linux, but not *BSD or *nix.
People seem to forget that X is not a Linux-only application.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642433</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642433</id>
	<title>Graphics drivers</title>
	<author>Anonymous</author>
	<datestamp>1247134740000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>5</modscore>
	<htmltext><p>If graphics drivers were implemented in the kernel instead of the X server, this problem wouldn't have existed in the first place.</p></htmltext>
<tokenext>If graphics drivers were implemented in the kernel instead of the X server , this problem would n't have existed in the first place .</tokentext>
<sentencetext>If graphics drivers were implemented in the kernel instead of the X server, this problem wouldn't have existed in the first place.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642587</id>
	<title>Re:Remote X servers?</title>
	<author>j\_sp\_r</author>
	<datestamp>1247135220000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>You don't need X for Matlab. The interface isn't that good.</p></htmltext>
<tokenext>You do n't need X for Matlab .
The interface is n't that good .</tokentext>
<sentencetext>You don't need X for Matlab.
The interface isn't that good.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642289</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28682829</id>
	<title>Re:One of the shortcommings in security</title>
	<author>Rich0</author>
	<datestamp>1247480460000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>It sounds like this isn't quite just like everything else - the kernel is at least providing some non-root access to hardware, but it isn't abstracting the hardware at all.</p><p>Suppose that in order to play a sound you couldn't just send wav data to<nobr> <wbr></nobr>/dev/dsp or whatever, but instead you had to open the device, send it a command to create a memory buffer, send data to the buffer (in the right format for your make/model sound interface), send a bunch of IO commands to the sound card (including port number and data details), and set up a pointer to your own interrupt handler that you pass to the device so that you can keep the buffer alive.  Sure, it might work without root, but basically all you have is the kernel passing through raw device IO and not actually providing any kind of driver.</p></htmltext>
<tokenext>It sounds like this is n't quite just like everything else - the kernel is at least providing some non-root access to hardware , but it is n't abstracting the hardware at all.Suppose that in order to play a sound you could n't just send wav data to /dev/dsp or whatever , but instead you had to open the device , send it a command to create a memory buffer , send data to the buffer ( in the right format for your make/model sound interface ) , send a bunch of IO commands to the sound card ( including port number and data details ) , and set up a pointer to your own interrupt handler that you pass to the device so that you can keep the buffer alive .
Sure , it might work without root , but basically all you have is the kernel passing through raw device IO and not actually providing any kind of driver .</tokentext>
<sentencetext>It sounds like this isn't quite just like everything else - the kernel is at least providing some non-root access to hardware, but it isn't abstracting the hardware at all.Suppose that in order to play a sound you couldn't just send wav data to /dev/dsp or whatever, but instead you had to open the device, send it a command to create a memory buffer, send data to the buffer (in the right format for your make/model sound interface), send a bunch of IO commands to the sound card (including port number and data details), and set up a pointer to your own interrupt handler that you pass to the device so that you can keep the buffer alive.
Sure, it might work without root, but basically all you have is the kernel passing through raw device IO and not actually providing any kind of driver.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642249</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643567</id>
	<title>Re:Is this right ?</title>
	<author>kelnos</author>
	<datestamp>1247139360000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext><p><div class="quote"><p>I am not sure that this is the right solution. Not running it as root is good, but running it as me - I don't know. I'd rather that the user that runneth the X server is some sort of 'xserver' user - to whose process I connect. That 'xserver' user then has the right to push my screen into VGA mode and all that.</p></div><p>As another poster mentioned, this makes multi-user X a bit more difficult.  What's the issue of having your user ID doing all this?  If you're allowed to log into the console, then you're presumably allowed to run X (or not; you can still lock down the machine so particular users can't run X or access the graphics hardware).  If you can run X, you can talk to the graphics hardware.  Note that this doesn't give you carte-blanche to fiddle with the graphics card's registers to try to make the machine crash: you only get certain actions as provided by the DRI interface.</p><p><div class="quote"><p>Also, this doesn't fix all those other services (that gnome has, for example) that allow my X programs to mount stuff etc. Which is, again, a security risk by itself.</p></div><p>No, you just don't understand how it works.  X apps do not mount things.  HAL (or, soon, DeviceKit-disks) mounts things on behalf of authenticated requests from X apps (or console apps, even).  HAL/DeviceKit are system daemons that have no GUI.  Frameworks like PolicyKit and ConsoleKit ensure that you aren't mounting or unmounting things you shouldn't be.</p></div>
	</htmltext>
<tokenext>I am not sure that this is the right solution .
Not running it as root is good , but running it as me - I do n't know .
I 'd rather that the user that runneth the X server is some sort of 'xserver ' user - to whose process I connect .
That 'xserver ' user then has the right to push my screen into VGA mode and all that.As another poster mentioned , this makes multi-user X a bit more difficult .
What 's the issue of having your user ID doing all this ?
If you 're allowed to log into the console , then you 're presumably allowed to run X ( or not ; you can still lock down the machine so particular users ca n't run X or access the graphics hardware ) .
If you can run X , you can talk to the graphics hardware .
Note that this does n't give you carte-blanche to fiddle with the graphics card 's registers to try to make the machine crash : you only get certain actions as provided by the DRI interface.Also , this does n't fix all those other services ( that gnome has , for example ) that allow my X programs to mount stuff etc .
Which is , again , a security risk by itself.No , you just do n't understand how it works .
X apps do not mount things .
HAL ( or , soon , DeviceKit-disks ) mounts things on behalf of authenticated requests from X apps ( or console apps , even ) .
HAL/DeviceKit are system daemons that have no GUI .
Frameworks like PolicyKit and ConsoleKit ensure that you are n't mounting or unmounting things you should n't be .</tokentext>
<sentencetext>I am not sure that this is the right solution.
Not running it as root is good, but running it as me - I don't know.
I'd rather that the user that runneth the X server is some sort of 'xserver' user - to whose process I connect.
That 'xserver' user then has the right to push my screen into VGA mode and all that.As another poster mentioned, this makes multi-user X a bit more difficult.
What's the issue of having your user ID doing all this?
If you're allowed to log into the console, then you're presumably allowed to run X (or not; you can still lock down the machine so particular users can't run X or access the graphics hardware).
If you can run X, you can talk to the graphics hardware.
Note that this doesn't give you carte-blanche to fiddle with the graphics card's registers to try to make the machine crash: you only get certain actions as provided by the DRI interface.Also, this doesn't fix all those other services (that gnome has, for example) that allow my X programs to mount stuff etc.
Which is, again, a security risk by itself.No, you just don't understand how it works.
X apps do not mount things.
HAL (or, soon, DeviceKit-disks) mounts things on behalf of authenticated requests from X apps (or console apps, even).
HAL/DeviceKit are system daemons that have no GUI.
Frameworks like PolicyKit and ConsoleKit ensure that you aren't mounting or unmounting things you shouldn't be.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642641</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643507</id>
	<title>Re:Is this right ?</title>
	<author>stevied</author>
	<datestamp>1247139060000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>I don't see the problem, to be honest. the toolkit libraries of your apps (by definition running as you) turn requests for widgets into drawing primitives and pixels that need setting in a framebuffer. The X server draws them / sets them. What's the third level of protection protecting you against? Processes memory contents are already protected against each other, the worst the X server might be tricked into doing is reporting the window or clipboard contents of one app to another, which is usually something you want it to be able to do anyway.<br> <br>

There's a possible argument for being able to mark certain X clients as "sandboxed" in the X server, but running the X server as a separate user isn't going to help in that situation - just introduce more complexity.</htmltext>
<tokenext>I do n't see the problem , to be honest .
the toolkit libraries of your apps ( by definition running as you ) turn requests for widgets into drawing primitives and pixels that need setting in a framebuffer .
The X server draws them / sets them .
What 's the third level of protection protecting you against ?
Processes memory contents are already protected against each other , the worst the X server might be tricked into doing is reporting the window or clipboard contents of one app to another , which is usually something you want it to be able to do anyway .
There 's a possible argument for being able to mark certain X clients as " sandboxed " in the X server , but running the X server as a separate user is n't going to help in that situation - just introduce more complexity .</tokentext>
<sentencetext>I don't see the problem, to be honest.
the toolkit libraries of your apps (by definition running as you) turn requests for widgets into drawing primitives and pixels that need setting in a framebuffer.
The X server draws them / sets them.
What's the third level of protection protecting you against?
Processes memory contents are already protected against each other, the worst the X server might be tricked into doing is reporting the window or clipboard contents of one app to another, which is usually something you want it to be able to do anyway.
There's a possible argument for being able to mark certain X clients as "sandboxed" in the X server, but running the X server as a separate user isn't going to help in that situation - just introduce more complexity.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642641</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642689</id>
	<title>Re:Remote X servers?</title>
	<author>nine-times</author>
	<datestamp>1247135640000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>I doubt I know enough to answer your question, but your question itself confuses me.  You understand why someone would want to run "remote X clients", but you don't understand why someone would want to run "remote X servers".  If you don't have a server, then who is the client connecting to?</p></htmltext>
<tokenext>I doubt I know enough to answer your question , but your question itself confuses me .
You understand why someone would want to run " remote X clients " , but you do n't understand why someone would want to run " remote X servers " .
If you do n't have a server , then who is the client connecting to ?</tokentext>
<sentencetext>I doubt I know enough to answer your question, but your question itself confuses me.
You understand why someone would want to run "remote X clients", but you don't understand why someone would want to run "remote X servers".
If you don't have a server, then who is the client connecting to?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642289</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28648177</id>
	<title>Re:Two questions:</title>
	<author>zippthorne</author>
	<datestamp>1247232960000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>security will always require a replication of effort beyond the otherwise economically efficient level.  But the cost buys you piece-of-mind, so it's still worth it.  And may be partly mitigated by copy-on-write.</p><p>Also, there's no reason that the login has to be a terminal.  It could just run as nobody.</p></htmltext>
<tokenext>security will always require a replication of effort beyond the otherwise economically efficient level .
But the cost buys you piece-of-mind , so it 's still worth it .
And may be partly mitigated by copy-on-write.Also , there 's no reason that the login has to be a terminal .
It could just run as nobody .</tokentext>
<sentencetext>security will always require a replication of effort beyond the otherwise economically efficient level.
But the cost buys you piece-of-mind, so it's still worth it.
And may be partly mitigated by copy-on-write.Also, there's no reason that the login has to be a terminal.
It could just run as nobody.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642307</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643341</id>
	<title>SELinux</title>
	<author>FranTaylor</author>
	<datestamp>1247138400000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Except on any decent Linux distribution, the X server is running inside SELinux and is really not capable of doing much at all.</p></htmltext>
<tokenext>Except on any decent Linux distribution , the X server is running inside SELinux and is really not capable of doing much at all .</tokentext>
<sentencetext>Except on any decent Linux distribution, the X server is running inside SELinux and is really not capable of doing much at all.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642283</parent>
</comment>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_09_2050226_4</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642225
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642129
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_09_2050226_26</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28648177
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642307
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_09_2050226_17</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642689
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642289
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_09_2050226_1</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28656323
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642235
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_09_2050226_20</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643245
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642843
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642189
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_09_2050226_16</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642537
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642245
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_09_2050226_10</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643351
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642289
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_09_2050226_2</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28645111
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643319
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_09_2050226_37</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643857
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642245
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_09_2050226_15</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28682829
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642249
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642189
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_09_2050226_29</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643317
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642245
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_09_2050226_32</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28647601
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642289
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_09_2050226_8</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28647739
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642843
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642189
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_09_2050226_5</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28644155
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642289
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_09_2050226_24</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28647095
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643521
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642245
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_09_2050226_27</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28645569
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642433
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_09_2050226_30</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28658547
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643507
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642641
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_09_2050226_6</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28654275
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643755
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642245
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_09_2050226_19</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28663469
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642289
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_09_2050226_3</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28646093
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642245
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_09_2050226_22</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28645371
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643567
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642641
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_09_2050226_13</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643499
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642883
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642433
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_09_2050226_36</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28644285
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642307
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_09_2050226_12</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643445
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642131
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_09_2050226_14</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28644709
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643319
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_09_2050226_39</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642989
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642289
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_09_2050226_9</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28647693
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643755
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642245
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_09_2050226_38</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28644041
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643319
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_09_2050226_0</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643341
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642283
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_09_2050226_41</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28644129
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642231
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_09_2050226_35</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28648983
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642245
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_09_2050226_11</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642587
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642289
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_09_2050226_34</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28644069
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642249
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642189
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_09_2050226_25</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643179
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642883
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642433
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_09_2050226_40</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28647623
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642245
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_09_2050226_7</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28647527
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28645657
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_09_2050226_28</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28647167
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642283
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_09_2050226_31</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28644393
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642245
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_09_2050226_33</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28644185
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642235
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_09_2050226_18</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643991
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642289
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_09_2050226_21</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643055
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642333
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642289
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_09_2050226_23</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28652419
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642641
</commentlist>
</thread>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_07_09_2050226.12</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642289
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642989
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28647601
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643991
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642333
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643055
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28644155
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643351
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28663469
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642689
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642587
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_07_09_2050226.4</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642235
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28656323
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28644185
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_07_09_2050226.5</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642283
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28647167
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643341
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_07_09_2050226.2</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642307
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28644285
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28648177
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_07_09_2050226.9</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642765
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_07_09_2050226.3</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642641
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643567
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28645371
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643507
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28658547
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28652419
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_07_09_2050226.1</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643319
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28644041
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28644709
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28645111
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_07_09_2050226.11</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642433
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28645569
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642883
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643499
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643179
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_07_09_2050226.15</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643071
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_07_09_2050226.16</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642189
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642249
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28644069
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28682829
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642843
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643245
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28647739
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_07_09_2050226.8</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28645657
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28647527
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_07_09_2050226.13</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642231
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28644129
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_07_09_2050226.10</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642227
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_07_09_2050226.6</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28647567
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_07_09_2050226.0</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642129
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642225
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_07_09_2050226.14</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642245
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643755
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28647693
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28654275
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643857
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643521
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28647095
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28646093
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642537
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643317
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28647623
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28644393
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28648983
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_07_09_2050226.7</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28642131
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_09_2050226.28643445
</commentlist>
</conversation>
