[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

SECURE?? [Re: Ctrl-Alt-Del doesn't work under X? ]

phil@fifi.org said:
> Here comes a small tcl/tk script which will appear under the xdm screen and 
> give the opportunity to halt, reboot or go to a console session (ie kill xdm).

As far as I understand TCL/Tk, those script give everybody with access to the screen immediate root access. As far as I can tell, tkmgr doesn't terminate when the user logs on. 

If that is indeed the case, the problem is the `send' command of Tk, which allows any Tk application to send TCL commands to any other on the same screen. I don't know if recent version of TCL/Tk check for more than the absence of a xhost list (and therefore enforce xauth authentication). That means a little script along the lines of
	send tkmgr exec {rm -rf /}
can cause quite a bit of inconvenience. 

The minimum thing you could do is to disable the send command in Tk using
	rename send {}
Then it is your decision if you trust this to be secure or not...


   Dr. Lukas Nellen                 | Email: lukas@teorica0.ifisicacu.unam.mx
   Depto. de Fisica Teorica, IFUNAM |
   Apdo. Postal 20-364              | Tel.:  +52 5 622 5014 ext. 218
   01000 Mexico D.F., MEXICO        | Fax:   +52 5 622 5015

TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com

Reply to: