Hi Andrew, this problem was recently fixed: see the bug report at https://sourceforge.net/tracker/index.php?func=detail&aid=1909931&group_id=12997&atid=112997
It seems to require some cooperation from the X server as well. Regards, Arjen On 2009-11-17 10:36, Andrew Ross wrote: > On Tue, Nov 17, 2009 at 08:54:09AM +0100, Arjen Markus wrote: >> >> On 2009-11-17 05:51, Alan W. Irwin wrote: >>> On 2009-11-16 20:29-0500 David A. Ventimiglia wrote: >>> >>>> Hi Alan, >>>> >>>> Thanks for the reply. I'm sorry, but I don't really understand X >>>> Windows security or the lack thereof, so I'll have to spend some time >>>> grokking this xhost business. :) In any event, it sounds like what >>>> you're saying is that this error is not a problem with Tcl, Tk, or >>>> PLplot, but rather a legitimate security hole that is either uncommon or >>>> doesn't exist at all on other Linux distros, but evidently does exist in >>>> Ubuntu Karmic Koala (at least, it does on my machine...I wonder what >>>> would happen if I'd done a clean install instead of an upgrade from >>>> Jaunty Jaguar). Is that correct? In that case, I suppose my queries >>>> should be redirected at the Ubuntu maintainers. :) >>> Yes, and yes. :-) >>> >> I can add some further information on the issue (from the man page of >> the Tcl/Tk send command): >> >> The send command is potentially a serious security loophole. On Unix, >> any application that can connect to your X server can send scripts to >> your applications. These incoming scripts can use Tcl to read and write >> your files and invoke subprocesses under your name. Host-based access >> control such as that provided by xhost is particularly insecure, since >> it allows anyone with an account on particular hosts to connect to your >> server, and if disabled it allows anyone anywhere to connect to your >> server. In order to provide at least a small amount of security, Tk >> checks the access control being used by the server and rejects incoming >> sends unless (a) xhost-style access control is enabled (i.e. only >> certain hosts can establish connections) and (b) the list of enabled >> hosts is empty. This means that applications cannot connect to your >> server unless they use some other form of authorization such as that >> provide by xauth. Under Windows, send is currently disabled. Most of the >> functionality is provided by the dde command instead. >> >> IIRC, Tcl/Tk can be compiled with a flag that turns off this security >> check, but I do not think that is a wise thing to do. > > Just to comment further, this issue has been around with Ubuntu (maybe also > Debian?) for a while. It is not a security issue. The default ubuntu setup > has xhost +SI:localuser:<username>, where username is the user logged on. > This allows the local user to display on the server - in particular it means > that x programs started via sudo will correctly display. You can disable > this, but then things like the package manager which need to run as root > won't work. I don't think this particular use of xhost is a security issue, > but tk is not that discriminating. The best course is probably to file a > bug against the tk package in Ubuntu. By default you would expect it to > work... The best solution would be a patch to tcl / tk to allow the localuser > case. > > Regards > > Andrew > > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Plplot-general mailing list > Plplot-general@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/plplot-general > ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Plplot-general mailing list Plplot-general@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/plplot-general
