[192] in Zephyr_Comments
security problems with XSETROOT and zmail
daemon@ATHENA.MIT.EDU (bjaspan@ATHENA.MIT.EDU)
Sat Apr 1 13:47:48 1989
From: <bjaspan@ATHENA.MIT.EDU>
Date: Sat, 1 Apr 89 13:47:26 EST
To: zephyr-comments@ATHENA.MIT.EDU, jik@ATHENA.MIT.EDU, jh@ATHENA.MIT.EDU,
Well, obviously I have to put in a plug for my own system, so here we go.
zmail is a good solution to the specific problem mentioned,
that of class XSETROOT. It effectively gives .zephyr.desc the ability
someone mentioned of "write $message to <filename>". It uses a stream
socket, so it doesn't even load down the zephyr servers (which sending a
large bitmap on XSETROOT does.) Users will not need to put the programs
in their locker as I am going to put them in the sipb locker. (right now
they are available from my homedir, so users don't need to copy them even
now.)
Next comment: zmail is not a hack. Or, if it is, so is ftp, telnet,
talk, rlogin... any program that uses stream sockets. Using zephyr as
a rendezvous service is (as far as I can tell) an intended use. It seems
I am the first person to actually use it in this way, however.
Last point: zmail is already in use as a replacement for XSETROOT.
(Granted, I only know of two or three people who use it for this purpose.)
Here is the appropriate code for .zephyr.desc (cut from my file):
does $class
match ZMAIL
fields host prt filename
# ZMAIL Window dumps
does $instance
match xwd
exec /mit/bjaspan/bin/zrecv -h $host -p $prt -s | xwud
exit
endmatch
enddoes
# ZMAIL xsetroot bitmaps
does $instance
match BITMAP
exec (/mit/bjaspan/bin/zrecv -s -h $host -p $prt -f /tmp/xsetroot.$sender."$time";xsetroot -bitmap /tmp/xsetroot.$sender."$time")
exit
endmatch
enddoes
endmatch
enddoes
Barr3y
