Tk in a set-userid application

Purpose: to investigate issues relating to writing set-userid Tk applications.

Here's a simple set-userid application that I'm using as a demonstration of the machinations one has to go through to get this stuff to work..


The problem is this - when Tk is first loaded (by wish or by a load command), the code makes an attempt to connect to the user's DISPLAY. By default, Tk requires a secure xauth'ed X session, due to the Tk "send" capability under X. Thus, a set-userid application can't get in while the security is in place. Rather than turn off security and risk breeches, the following technique allows one to, in one application, do some set-userid work and then turn off the set-userid nature of the application.


 $ cat setuid.sh
 #! /bin/sh

 /usr/tcl83/bin/tclsh /home/lwv26/setuid.tcl

 $ cat setuid.tcl
 #!/bin/sh
 # \
 exec /usr/tcl83/bin/tclsh "$0" ${1+"$@"}

 package require Tclx
 set i [info loaded]
 puts $i

 set efd1 [open "/tmp/effective" "w"]
 puts $efd1 "output"
 close $efd1

 # A file owned by the effective user id was just created
 # Now, change users so that Tk can be done.

 set effective [id effective userid]
 set real [id  userid ]

 puts "Before: realid = $real  effectiveid = $effective"
 id userid $real
 puts "After: realid = $real  effectiveid = $effective"

 load /usr/tcl83/lib/libtk8.3.so
 proc quitApp { args } {
        puts [format "%s" $args]
        set ::forever 1
        exit 0
 }

 set res [wm protocol . WM_DELETE_WINDOW quitApp]

 puts $res
 button .b -text 0 -command {.b config -text [expr [.b cget -text]+1]}
 pack   .b ;#RS
 vwait ::forever
 puts "All done now"


 $ su differentuid
 Password: 
 % chmod 4755 setuid.sh
 $
 $ /home/lvirden/setuid.sh
 Before: realid = 203  effectiveid = 3750
 After: realid = 203  effectiveid = 3750

followed by the appearance of a button. Attempts to close out the button just result in output to stdout and the button continuing.


I'd love to hear from you on what else I need to consider, and how we could make this much less painful.

See also Using Tk as a loadable package, which claims that the vwait and setting of ::forever code could be dropped under Tcl 8.4.


Category Security