Moinak: >> This is turned on by default so that Java programs work with >> accessibility by default. Unfortunately Java doesn't support using >> a sockets connection for local-only ORBit requests (the technique >> used by GTK+ programs), and it only supports using connections over IP. > > There was a similar issue for SMC which is written in Java. The solution > used was to bind the server's listening socket only to localhost > (127.0.0.1) > and use localhost as the hostname for local-only mode.
Thanks for the tip. I created bugzilla bug #422908 about this issue: http://bugzilla.gnome.org/show_bug.cgi?id=422908 So I'll be interested to see what the ORBit2 maintainer thinks. Also, if you (or other people who know about this) want to take a look at the code and see how to properly implement this change in ORBit2, I'd appreciate the help. The bug report contains pointers to the places in the code that I think would need to be changed. The code can be found here: ftp://ftp.gnome.org/pub/gnome/sources/ORBit2/2.14/ Brian >> If you don't use accessibility, then you can remove your /etc/orbitrc >> file and the ports should go away. For users who want to tighten >> security and who don't use Java accessibility, this might be a good >> option. > > Smells like a good candidate to move into SMF, though I am not sure > which service manifest will be suitable to hold this info. Maybe it will > be interesting to create an SMF manifest, without any associated daemon > just to hold desktop-specific properties. Since this feature is needed only by accessibility, might make sense for it to be an accessibility feature rather than a desktop feature. Basically there are 3 modes the user might want to run in: 1. Lockdown mode - ORBit does not accept TCP/IP at all. In this case Java doesn't work with accessibility and remote programs don't work. 2. Local TCP mode - ORBit accepts TCP/IP but only from the local machine. This makes Java work, but remote programs don't work. 3. Open mode - ORBit accepts TCP/IP from anywhere. This allows both Java to work and the user to run a11y enabled programs remotely. Basically the 3 modes would simply modify /etc/orbitrc so that it contains nothing in mode 1, and the following in mode 2: ORBIIOPIPv4=1 ORBLocalOnly=1 and the following in mode 3 ORBIIOPIPv4=1 However, it might also be necessary to stop and restart any running programs using ORBit2 for the change to take effect for them. This might be a problem since may GNOME programs use ORBit2, so might be necessary to restart all running sessions or to only allow the SMF command to be run when no sessions are running? Or maybe its okay for the change to take effect for newly started programs only. Brian
