Wilbert Berendsen wrote:
>
> Today at 4:57am, Geir Torstein Kristiansen mumbled:
>
> > I *really* don't like the way blackbox runs arbitrary shell commands in
> > themes.
> >
> > There should be a standard way to set backgrounds that doesn't involve
> > the shell commands.
> >
> > Exploit:
> >
> > Malicous themes could contain nasty commands like: rootCommand: rm -rf
> > $HOME and the like.
> >
> > Imagine if blackbox is run as root, and you have a theme that contains
> > stuff like rootCommand: echo
> > "root:crypt-password:0:0:root:/root:/bin/bash" >>/etc/passwd; bsetroot
> > <normal stuff>
> >
> > And they wouldn't know what hit'em because everything will appear
> > normal, and the bg will be set.
> >
> > Note that I haven't bothered to test these.
>
> I Agree.
>
> maybe we could use a tool like bsetbg for this. A quick proposal
> replacement for rootCommand:
>
> root.decoration: mod, image <style> <..> <filename>, or a
> gradient texture description
> root.color: color (used for mod and gradient)
> root.colorTo: color
>
> Blackbox then calls a script like bsetbg, to set the background in the
> desired way.
>
> So
> root.decoration: flat gradient diagonal interlaced
> root.color: slategray
> root.colorTo: darkslategray
>
> causes the script to call bsetroot with appropriate args.
>
> And
> root.decoration: image fit snoopy.jpg
>
> causes the script to run eg "xv -root -quit -max snoopy.jpg" The script
> could check for different apps like xv, display, xpmroot, Esetroot etc.
>
> root.decoration: image tile silery.xpm
>
> calls eg xv -root -quit silery.xpm. And
>
> root.decoration: image center president.png
> root.color: black
>
> calls eg xv -root -rmode 5 -bg black -quit president.png
>
> When the image filename is relative, the script should look in
> ~/.blackbox/backgrounds and then in @pkgdatadir@/backgrounds.
I would really like each theme to have it's own dir in which the
background (if there is any) and style file is contained, as explained
below :-)
>
> This way you can install styles system-wide without bothering to change
> the style files.
Some other suggestions. The way the backgrounds are handled today are
convenient (with the arbitrary shell commands), but it is not "the right
thing[TM]". Both in regards to security and with regards to having the
themes installed system wide. The quicker it is fixed the better as less
themes will need to be converted to some new safer format.
I really like the way Windowmaker (don't flame, yes I happen to use it
sometimes) handles this where each style file and background image (if
there is any) is contained in a single dir with a suffix of .themed.
Since the background image never is referenced with an absolute path you
can easily install the themes either systemwide or in the users home
directory without having to manually edit some absolute path. And this
also makes it easier to remove themes, as you don't have to look in the
theme file to find the background the theme you are going to remove
uses, you just delete the theme.themed dir and that's it.
__ __
___ _/ /_/ /__
/ _ `/ __/ '_/
\_, /\__/_/\_\ Geir Torstein Kristiansen
/___/--------------------------------------
