Tcl Improvement Proposals: Artifact [315bd3b6d6]

Artifact 315bd3b6d65054f5446e547d9230b22701768b99e282bc6313d87db5cfd4e631:

File tip/61.tip — part of check-in [76688f8c1a] at 2003-08-13 19:59:27 on branch trunk — All TIPs that were targeting 8.4, yet were not Final in time for 8.4 are now shifted to be targeted at 8.5. Some TIPs that were Accepted for 8.4, but never made Final, are now shifted to be targeted at 8.5, and marked Deferred for lack of progress. (user: dgp size: 2591)

TIP:            61
Title:          Make TK_NO_SECURITY Run-Time Switchable
Version:        $Revision: 1.4 $
Author:         Jeff Hobbs <[email protected]>
Author:         Donal K. Fellows <[email protected]>
State:          Deferred
Type:           Project
Vote:           Pending
Created:        12-Sep-2001
Post-History:   
Tcl-Version:    8.5

~ Abstract

This TIP changes the compile time Tk define TK_NO_SECURITY to be
switchable at run-time.

~ Rationale

The TK_NO_SECURITY compile time #define is available to disable some
security checking when send is used.  The direct comments in the
Makefile are:

| # To turn off the security checks that disallow incoming sends when
| # the X server appears to be insecure, reverse the comments on the
| # following lines:
| SECURITY_FLAGS		=
| #SECURITY_FLAGS		= -DTK_NO_SECURITY

I propose to make this switch configurable at runtime through a ''tk
securesend'' option.

~ Benefits

Users would be able to debug between Tk applications on Unix using
''send'' without having to compile a special version of Tk or
manipulating the security settings of their X server to Tk's liking
(which can then conflict with other work).  It is common for users in
internal ("safe") networks to open up access to an X server with
''xhost +machine''.

~ Drawbacks

By allowing security to be disabled, users do possibly open up their
system to attack.  However, secure is the default setting, and any
paranoid users can ''rename send {}'' to ensure that it is not used at
all.

~ Reference Implementation

A full patch for this feature is available at:

http://sf.net/tracker/?func=detail&aid=456732&group_id=12997&atid=312997

The proposal adds one element to the private ''TkDisplay'' structure
(configuration for secure send is done per display), and creates the
Tcl level command:

|	tk securesend ?-displayof window? ?boolean?

It leaves the TK_NO_SECURITY flag alone.  If specified, send is
insecure by default, otherwise it is secure.

~ Comments

''DKF'' - It should be possible to control the setting of the
compile-time TK_NO_SECURITY flag from the ''configure'' script; having
to edit the Makefile by hand to adjust it makes it too easy to
inadvertently break something by introducing an unfortunate typo. Being
able to pass a ''--disable-security'' flag would make thing much easier
from a user's point of view, and will make it less likely that the Tk
maintainers will have to deal with bug reports that ultimately stem from
a dumb mistake made in a sensitive spot...

~ Copyright  

This document has been placed in the public domain.