TIP #61: MAKE TK_NO_SECURITY RUN-TIME SWITCHABLE ================================================== Version: $Revision: 1.4 $ Author: Jeff Hobbs Donal K. Fellows State: Deferred Type: Project Tcl-Version: 8.5 Vote: Pending Created: Wednesday, 12 September 2001 URL: https://tip.tcl-lang.org61.html Post-History: ------------------------------------------------------------------------- ABSTRACT ========== This TIP changes the compile time Tk define TK_NO_SECURITY to be switchable at run-time. RATIONALE =========== The TK_NO_SECURITY compile time #define is available to disable some security checking when send is used. The direct comments in the Makefile are: # To turn off the security checks that disallow incoming sends when # the X server appears to be insecure, reverse the comments on the # following lines: SECURITY_FLAGS = #SECURITY_FLAGS = -DTK_NO_SECURITY I propose to make this switch configurable at runtime through a /tk securesend/ option. BENEFITS ========== Users would be able to debug between Tk applications on Unix using /send/ without having to compile a special version of Tk or manipulating the security settings of their X server to Tk's liking (which can then conflict with other work). It is common for users in internal ("safe") networks to open up access to an X server with /xhost +machine/. DRAWBACKS =========== By allowing security to be disabled, users do possibly open up their system to attack. However, secure is the default setting, and any paranoid users can /rename send {}/ to ensure that it is not used at all. REFERENCE IMPLEMENTATION ========================== A full patch for this feature is available at: The proposal adds one element to the private /TkDisplay/ structure (configuration for secure send is done per display), and creates the Tcl level command: tk securesend ?-displayof window? ?boolean? It leaves the TK_NO_SECURITY flag alone. If specified, send is insecure by default, otherwise it is secure. COMMENTS ========== /DKF/ - It should be possible to control the setting of the compile-time TK_NO_SECURITY flag from the /configure/ script; having to edit the Makefile by hand to adjust it makes it too easy to inadvertently break something by introducing an unfortunate typo. Being able to pass a /--disable-security/ flag would make thing much easier from a user's point of view, and will make it less likely that the Tk maintainers will have to deal with bug reports that ultimately stem from a dumb mistake made in a sensitive spot... COPYRIGHT =========== This document has been placed in the public domain. ------------------------------------------------------------------------- TIP AutoGenerator - written by Donal K. Fellows