HP Visualize J5000 HP Workstations - Graphics Administration Guide For Red Hat - Page 68

BadAtom, irwad, GetProperty, RotateProperties, delete=True, ignore read, error delete, and an

Get HP Visualize J5000 - Workstation PDF manuals and user guides View all HP Visualize J5000 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 68 highlights

property exists, regardless of its actual value. "Error" means do not execute the request and return a BadAtom error with the atom set to the property name. Error is the default action for all properties, including those not listed in the security policy file. An applies to all s that follow it, until the next is encountered. Thus, "irwad" means "ignore read and write, allow delete." GetProperty and RotateProperties may do multiple operations (r and d, or r and w). If different actions apply to the operations, the most severe action is applied to the whole request; there is no partial request execution. The severity ordering is: allow < ignore < error Thus, if the for a property are ired (ignore read, error delete), and an untrusted client attempts GetProperty on that property with delete=True, an error is returned, but the property value is not. Similarly, if any of the properties in a RotateProperties do not allow both read and write, an error is returned without changing any property values. Here is an example security policy file. version-1 # Allow reading of application resources, but not writing. property RESOURCE_MANAGER root ar iw property SCREEN_RESOURCES root ar iw # Ignore attempts to use cut buffers. Giving errors causes apps to crash, # and allowing access may give away too much information. property CUT_BUFFER0 root irw property CUT_BUFFER1 root irw property CUT_BUFFER2 root irw property CUT_BUFFER3 root irw property CUT_BUFFER4 root irw property CUT_BUFFER5 root irw property CUT_BUFFER6 root irw property CUT_BUFFER7 root irw # If you are using Motif, you may want these. property _MOTIF_DEFAULT_BINDINGS root ar iw property _MOTIF_DRAG_WINDOW root ar iw property _MOTIF_DRAG_TARGETS any ar iw property _MOTIF_DRAG_ATOMS any ar iw property _MOTIF_DRAG_ATOM_PAIRS any ar iw # The next two rules let xwininfo -tree work when untrusted. property WM_NAME any ar # Allow read of WM_CLASS, but only for windows with WM_NAME. # This might be more restrictive than necessary, but demonstrates # the facility, and is also an attempt to # say "top level windows only." property WM_CLASS WM_NAME ar # These next three let xlsclients work untrusted. Think carefully # before including these; giving away the client machine name and command # may be exposing too much. property WM_STATE WM_NAME ar property WM_CLIENT_MACHINE WM_NAME ar property WM_COMMAND WM_NAME ar # To let untrusted clients use the standard colormaps created by # xstdcmap, include these lines. property RGB_DEFAULT_MAP root ar Graphics Administration Guide For Red Hat Linux 6.2

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
property exists, regardless of its actual value. "Error" means do not execute the request
and return a
BadAtom
error with the atom set to the property name.
Error is the default
action for all properties, including those not listed in the security policy file.
An <
action
> applies to all <
operation
>s that follow it, until the next <
action
> is
encountered. Thus, "
irwad
" means "ignore read and write, allow delete."
GetProperty
and
RotateProperties
may do multiple operations (
r
and
d
, or
r
and
w
). If different actions apply to the operations, the most severe action is applied to
the whole request; there is no partial request execution. The severity ordering is:
allow < ignore < error
Thus, if the <
perms
> for a property are
ired
(ignore read, error delete), and an
untrusted client attempts
GetProperty
on that property with
delete=True
, an
error is returned, but the property value is not.
Similarly, if any of the properties in a
RotateProperties
do not allow both read and write, an error is returned without
changing any property values.
Here is an example security policy file.
version-1
# Allow reading of application resources, but not writing.
property RESOURCE_MANAGER
root
ar iw
property SCREEN_RESOURCES
root
ar iw
# Ignore attempts to use cut buffers. Giving errors causes apps to crash,
# and allowing access may give away too much information.
property CUT_BUFFER0
root
irw
property CUT_BUFFER1
root
irw
property CUT_BUFFER2
root
irw
property CUT_BUFFER3
root
irw
property CUT_BUFFER4
root
irw
property CUT_BUFFER5
root
irw
property CUT_BUFFER6
root
irw
property CUT_BUFFER7
root
irw
# If you are using Motif, you may want these.
property _MOTIF_DEFAULT_BINDINGS
root
ar iw
property _MOTIF_DRAG_WINDOW
root
ar iw
property _MOTIF_DRAG_TARGETS
any
ar iw
property _MOTIF_DRAG_ATOMS
any
ar iw
property _MOTIF_DRAG_ATOM_PAIRS
any
ar iw
# The next two rules let xwininfo -tree work when untrusted.
property
WM_NAME
any
ar
# Allow read of WM_CLASS, but only for windows with WM_NAME.
# This might be more restrictive than necessary, but demonstrates
# the <required property> facility, and is also an attempt to
# say "top level windows only."
property WM_CLASS
WM_NAME ar
# These next three let xlsclients work untrusted. Think carefully
# before including these; giving away the client machine name and command
# may be exposing too much.
property WM_STATE
WM_NAME ar
property WM_CLIENT_MACHINE
WM_NAME ar
property WM_COMMAND
WM_NAME ar
# To let untrusted clients use the standard colormaps created by
# xstdcmap, include these lines.
property RGB_DEFAULT_MAP
root
ar
Graphics Administration Guide For Red Hat Linux 6.2