HP Visualize J282 HP Workstations - Graphics Administration Guide For Red Hat - Page 68
BadAtom, irwad, GetProperty, RotateProperties, delete=True, ignore read, error delete, and an
View all HP Visualize J282 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 68 highlights
property exists, regardless of its actual value. "Error" means do not execute the request and return a BadAtom error with the atom set to the property name. Error is the default action for all properties, including those not listed in the security policy file. An applies to all s that follow it, until the next is encountered. Thus, "irwad" means "ignore read and write, allow delete." GetProperty and RotateProperties may do multiple operations (r and d, or r and w). If different actions apply to the operations, the most severe action is applied to the whole request; there is no partial request execution. The severity ordering is: allow < ignore < error Thus, if the for a property are ired (ignore read, error delete), and an untrusted client attempts GetProperty on that property with delete=True, an error is returned, but the property value is not. Similarly, if any of the properties in a RotateProperties do not allow both read and write, an error is returned without changing any property values. Here is an example security policy file. version-1 # Allow reading of application resources, but not writing. property RESOURCE_MANAGER root ar iw property SCREEN_RESOURCES root ar iw # Ignore attempts to use cut buffers. Giving errors causes apps to crash, # and allowing access may give away too much information. property CUT_BUFFER0 root irw property CUT_BUFFER1 root irw property CUT_BUFFER2 root irw property CUT_BUFFER3 root irw property CUT_BUFFER4 root irw property CUT_BUFFER5 root irw property CUT_BUFFER6 root irw property CUT_BUFFER7 root irw # If you are using Motif, you may want these. property _MOTIF_DEFAULT_BINDINGS root ar iw property _MOTIF_DRAG_WINDOW root ar iw property _MOTIF_DRAG_TARGETS any ar iw property _MOTIF_DRAG_ATOMS any ar iw property _MOTIF_DRAG_ATOM_PAIRS any ar iw # The next two rules let xwininfo -tree work when untrusted. property WM_NAME any ar # Allow read of WM_CLASS, but only for windows with WM_NAME. # This might be more restrictive than necessary, but demonstrates # the facility, and is also an attempt to # say "top level windows only." property WM_CLASS WM_NAME ar # These next three let xlsclients work untrusted. Think carefully # before including these; giving away the client machine name and command # may be exposing too much. property WM_STATE WM_NAME ar property WM_CLIENT_MACHINE WM_NAME ar property WM_COMMAND WM_NAME ar # To let untrusted clients use the standard colormaps created by # xstdcmap, include these lines. property RGB_DEFAULT_MAP root ar Graphics Administration Guide For Red Hat Linux 6.2