On 2009-11-17 09:36-0000 Andrew Ross wrote: > On Tue, Nov 17, 2009 at 08:54:09AM +0100, Arjen Markus wrote: >> >> >> On 2009-11-17 05:51, Alan W. Irwin wrote: >>> On 2009-11-16 20:29-0500 David A. Ventimiglia wrote: >>> >>>> Hi Alan, >>>> >>>> Thanks for the reply. I'm sorry, but I don't really understand X >>>> Windows security or the lack thereof, so I'll have to spend some time >>>> grokking this xhost business. :) In any event, it sounds like what >>>> you're saying is that this error is not a problem with Tcl, Tk, or >>>> PLplot, but rather a legitimate security hole that is either uncommon or >>>> doesn't exist at all on other Linux distros, but evidently does exist in >>>> Ubuntu Karmic Koala (at least, it does on my machine...I wonder what >>>> would happen if I'd done a clean install instead of an upgrade from >>>> Jaunty Jaguar). Is that correct? In that case, I suppose my queries >>>> should be redirected at the Ubuntu maintainers. :) >>> >>> Yes, and yes. :-) >>> >> >> I can add some further information on the issue (from the man page of >> the Tcl/Tk send command): >> >> The send command is potentially a serious security loophole. On Unix, >> any application that can connect to your X server can send scripts to >> your applications. These incoming scripts can use Tcl to read and write >> your files and invoke subprocesses under your name. Host-based access >> control such as that provided by xhost is particularly insecure, since >> it allows anyone with an account on particular hosts to connect to your >> server, and if disabled it allows anyone anywhere to connect to your >> server. In order to provide at least a small amount of security, Tk >> checks the access control being used by the server and rejects incoming >> sends unless (a) xhost-style access control is enabled (i.e. only >> certain hosts can establish connections) and (b) the list of enabled >> hosts is empty. This means that applications cannot connect to your >> server unless they use some other form of authorization such as that >> provide by xauth. Under Windows, send is currently disabled. Most of the >> functionality is provided by the dde command instead. >> >> IIRC, Tcl/Tk can be compiled with a flag that turns off this security >> check, but I do not think that is a wise thing to do. > > Just to comment further, this issue has been around with Ubuntu (maybe also > Debian?) for a while. It is not a security issue. The default ubuntu setup > has xhost +SI:localuser:<username>, where username is the user logged on. > This allows the local user to display on the server - in particular it means > that x programs started via sudo will correctly display. You can disable > this, but then things like the package manager which need to run as root > won't work. I don't think this particular use of xhost is a security issue, > but tk is not that discriminating. The best course is probably to file a > bug against the tk package in Ubuntu. By default you would expect it to > work... The best solution would be a patch to tcl / tk to allow the localuser > case.
Thanks, Andrew, for that further explanation of the Ubuntu xhost default. I am positive Debian doesn't do it that way by default (perhaps there is no need since they tend not to emphasize sudo like Ubuntu does), but it does sound like xhost +SI:localuser:<username> is an example of one of the few xhost +* combinations that is secure, and Ubuntu might need to patch Tcl/Tk accordingly to accept that. However, that explanation may be too easy and Ubuntu may have done that already. For example, my understanding is you do run Ubuntu and you do test Tcl/Tk, and apparently the above "xhost +*" combination is set for your case. So I am wondering why you haven't run into this problem yourself? If you cannot reproduce this issue with any of your Ubuntu platforms, then perhaps this user has some older Tcl/Tk installed that is not really compatible with Karmic, and in that case, the solution for him might be to simply purge Tcl/Tk and reinstall the version of Tcl/Tk that comes with Karmic (which is more likely to be compatible with how Karmic handles xhost). Alan __________________________ Alan W. Irwin Astronomical research affiliation with Department of Physics and Astronomy, University of Victoria (astrowww.phys.uvic.ca). Programming affiliations with the FreeEOS equation-of-state implementation for stellar interiors (freeeos.sf.net); PLplot scientific plotting software package (plplot.org); the libLASi project (unifont.org/lasi); the Loads of Linux Links project (loll.sf.net); and the Linux Brochure Project (lbproject.sf.net). __________________________ Linux-powered Science __________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Plplot-general mailing list Plplot-general@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/plplot-general
