Hi Arjen, That's good to know, if a little late for the current distributions. Ubuntu have just had a release.
Andrew On Tue, Nov 17, 2009 at 03:23:59PM +0100, Arjen Markus wrote: > Hi Andrew, > > this problem was recently fixed: > see the bug report at > https://sourceforge.net/tracker/index.php?func=detail&aid=1909931&group_id=12997&atid=112997 > > It seems to require some cooperation from the X server as well. > > Regards, > > Arjen > > On 2009-11-17 10:36, Andrew Ross wrote: > > On Tue, Nov 17, 2009 at 08:54:09AM +0100, Arjen Markus wrote: > >> > >> On 2009-11-17 05:51, Alan W. Irwin wrote: > >>> On 2009-11-16 20:29-0500 David A. Ventimiglia wrote: > >>> > >>>> Hi Alan, > >>>> > >>>> Thanks for the reply. I'm sorry, but I don't really understand X > >>>> Windows security or the lack thereof, so I'll have to spend some time > >>>> grokking this xhost business. :) In any event, it sounds like what > >>>> you're saying is that this error is not a problem with Tcl, Tk, or > >>>> PLplot, but rather a legitimate security hole that is either uncommon or > >>>> doesn't exist at all on other Linux distros, but evidently does exist in > >>>> Ubuntu Karmic Koala (at least, it does on my machine...I wonder what > >>>> would happen if I'd done a clean install instead of an upgrade from > >>>> Jaunty Jaguar). Is that correct? In that case, I suppose my queries > >>>> should be redirected at the Ubuntu maintainers. :) > >>> Yes, and yes. :-) > >>> > >> I can add some further information on the issue (from the man page of > >> the Tcl/Tk send command): > >> > >> The send command is potentially a serious security loophole. On Unix, > >> any application that can connect to your X server can send scripts to > >> your applications. These incoming scripts can use Tcl to read and write > >> your files and invoke subprocesses under your name. Host-based access > >> control such as that provided by xhost is particularly insecure, since > >> it allows anyone with an account on particular hosts to connect to your > >> server, and if disabled it allows anyone anywhere to connect to your > >> server. In order to provide at least a small amount of security, Tk > >> checks the access control being used by the server and rejects incoming > >> sends unless (a) xhost-style access control is enabled (i.e. only > >> certain hosts can establish connections) and (b) the list of enabled > >> hosts is empty. This means that applications cannot connect to your > >> server unless they use some other form of authorization such as that > >> provide by xauth. Under Windows, send is currently disabled. Most of the > >> functionality is provided by the dde command instead. > >> > >> IIRC, Tcl/Tk can be compiled with a flag that turns off this security > >> check, but I do not think that is a wise thing to do. > > > > Just to comment further, this issue has been around with Ubuntu (maybe also > > Debian?) for a while. It is not a security issue. The default ubuntu setup > > has xhost +SI:localuser:<username>, where username is the user logged on. > > This allows the local user to display on the server - in particular it means > > that x programs started via sudo will correctly display. You can disable > > this, but then things like the package manager which need to run as root > > won't work. I don't think this particular use of xhost is a security issue, > > but tk is not that discriminating. The best course is probably to file a > > bug against the tk package in Ubuntu. By default you would expect it to > > work... The best solution would be a patch to tcl / tk to allow the > > localuser > > case. > > > > Regards > > > > Andrew > > > > > > ------------------------------------------------------------------------------ > > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > > trial. Simplify your report design, integration and deployment - and focus > > on > > what you do best, core application coding. Discover what's new with > > Crystal Reports now. http://p.sf.net/sfu/bobj-july > > _______________________________________________ > > Plplot-general mailing list > > Plplot-general@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/plplot-general > > > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Plplot-general mailing list > Plplot-general@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/plplot-general > ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Plplot-general mailing list Plplot-general@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/plplot-general
