[EMAIL PROTECTED] said:
> Here comes a small tcl/tk script which will appear under the xdm screen and
> give the opportunity to halt, reboot or go to a console session (ie kill xdm).
As far as I understand TCL/Tk, those script give everybody with access to the
screen immediate root access. As far as I can tell, tkmgr doesn't terminate
when the user logs on.
If that is indeed the case, the problem is the `send' command of Tk, which
allows any Tk application to send TCL commands to any other on the same screen.
I don't know if recent version of TCL/Tk check for more than the absence of a
xhost list (and therefore enforce xauth authentication). That means a little
script along the lines of
#!/usr/bin/whish
send tkmgr exec {rm -rf /}
can cause quite a bit of inconvenience.
The minimum thing you could do is to disable the send command in Tk using
rename send {}
Then it is your decision if you trust this to be secure or not...
Cheers,
Lukas
-------------------------------------------------------------------------------
Dr. Lukas Nellen | Email: [EMAIL PROTECTED]
Depto. de Fisica Teorica, IFUNAM |
Apdo. Postal 20-364 | Tel.: +52 5 622 5014 ext. 218
01000 Mexico D.F., MEXICO | Fax: +52 5 622 5015
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
[EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED]
