SECURE?? [Re: Ctrl-Alt-Del doesn't work under X? ]
phil@fifi.org said:
> Here comes a small tcl/tk script which will appear under the xdm screen and
> give the opportunity to halt, reboot or go to a console session (ie kill xdm).
As far as I understand TCL/Tk, those script give everybody with access to the screen immediate root access. As far as I can tell, tkmgr doesn't terminate when the user logs on.
If that is indeed the case, the problem is the `send' command of Tk, which allows any Tk application to send TCL commands to any other on the same screen. I don't know if recent version of TCL/Tk check for more than the absence of a xhost list (and therefore enforce xauth authentication). That means a little script along the lines of
#!/usr/bin/whish
send tkmgr exec {rm -rf /}
can cause quite a bit of inconvenience.
The minimum thing you could do is to disable the send command in Tk using
rename send {}
Then it is your decision if you trust this to be secure or not...
Cheers,
Lukas
-------------------------------------------------------------------------------
Dr. Lukas Nellen | Email: lukas@teorica0.ifisicacu.unam.mx
Depto. de Fisica Teorica, IFUNAM |
Apdo. Postal 20-364 | Tel.: +52 5 622 5014 ext. 218
01000 Mexico D.F., MEXICO | Fax: +52 5 622 5015
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com
Reply to: