61.tip at [e700ee7d45]

Login
Home Timeline Branches Tags Help
Annotate Artifact Blame Check-ins Using Doc Download Hex

File tip/61.tip artifact 315bd3b6d6 part of check-in e700ee7d45

TIP:            61
Title:          Make TK_NO_SECURITY Run-Time Switchable
Version:        $Revision: 1.4 $
Author:         Jeff Hobbs <[email protected]>
Author:         Donal K. Fellows <[email protected]>
State:          Deferred
Type:           Project
Vote:           Pending
Created:        12-Sep-2001
Post-History:   
Tcl-Version:    8.5

~ Abstract

This TIP changes the compile time Tk define TK_NO_SECURITY to be
switchable at run-time.

~ Rationale

The TK_NO_SECURITY compile time #define is available to disable some
security checking when send is used.  The direct comments in the
Makefile are:

| # To turn off the security checks that disallow incoming sends when
| # the X server appears to be insecure, reverse the comments on the
| # following lines:
| SECURITY_FLAGS		=
| #SECURITY_FLAGS		= -DTK_NO_SECURITY

I propose to make this switch configurable at runtime through a ''tk
securesend'' option.

~ Benefits

Users would be able to debug between Tk applications on Unix using
''send'' without having to compile a special version of Tk or
manipulating the security settings of their X server to Tk's liking
(which can then conflict with other work).  It is common for users in
internal ("safe") networks to open up access to an X server with
''xhost +machine''.

~ Drawbacks

By allowing security to be disabled, users do possibly open up their
system to attack.  However, secure is the default setting, and any
paranoid users can ''rename send {}'' to ensure that it is not used at
all.

~ Reference Implementation

A full patch for this feature is available at:

http://sf.net/tracker/?func=detail&aid=456732&group_id=12997&atid=312997

The proposal adds one element to the private ''TkDisplay'' structure
(configuration for secure send is done per display), and creates the
Tcl level command:

|	tk securesend ?-displayof window? ?boolean?

It leaves the TK_NO_SECURITY flag alone.  If specified, send is
insecure by default, otherwise it is secure.

~ Comments

''DKF'' - It should be possible to control the setting of the
compile-time TK_NO_SECURITY flag from the ''configure'' script; having
to edit the Makefile by hand to adjust it makes it too easy to
inadvertently break something by introducing an unfortunate typo. Being
able to pass a ''--disable-security'' flag would make thing much easier
from a user's point of view, and will make it less likely that the Tk
maintainers will have to deal with bug reports that ultimately stem from
a dumb mistake made in a sensitive spot...

~ Copyright  

This document has been placed in the public domain.