On 2009-11-17 05:51, Alan W. Irwin wrote: > On 2009-11-16 20:29-0500 David A. Ventimiglia wrote: > >> Hi Alan, >> >> Thanks for the reply. I'm sorry, but I don't really understand X >> Windows security or the lack thereof, so I'll have to spend some time >> grokking this xhost business. :) In any event, it sounds like what >> you're saying is that this error is not a problem with Tcl, Tk, or >> PLplot, but rather a legitimate security hole that is either uncommon or >> doesn't exist at all on other Linux distros, but evidently does exist in >> Ubuntu Karmic Koala (at least, it does on my machine...I wonder what >> would happen if I'd done a clean install instead of an upgrade from >> Jaunty Jaguar). Is that correct? In that case, I suppose my queries >> should be redirected at the Ubuntu maintainers. :) > > Yes, and yes. :-) >
I can add some further information on the issue (from the man page of the Tcl/Tk send command): The send command is potentially a serious security loophole. On Unix, any application that can connect to your X server can send scripts to your applications. These incoming scripts can use Tcl to read and write your files and invoke subprocesses under your name. Host-based access control such as that provided by xhost is particularly insecure, since it allows anyone with an account on particular hosts to connect to your server, and if disabled it allows anyone anywhere to connect to your server. In order to provide at least a small amount of security, Tk checks the access control being used by the server and rejects incoming sends unless (a) xhost-style access control is enabled (i.e. only certain hosts can establish connections) and (b) the list of enabled hosts is empty. This means that applications cannot connect to your server unless they use some other form of authorization such as that provide by xauth. Under Windows, send is currently disabled. Most of the functionality is provided by the dde command instead. IIRC, Tcl/Tk can be compiled with a flag that turns off this security check, but I do not think that is a wise thing to do. Regards, Arjen ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Plplot-general mailing list Plplot-general@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/plplot-general
