On Thu, 10 Aug 2006, Mark Taylor wrote:
> To talk to GAIA's socket you at least need to know what port number
> it's at and I think you also need a cookie - to find both these
No need for a cookie. Just the port number. And you could make a guess at
it anyway if you cared.
It's never been secure. At one point oracdr at ukirt started displaying
images on the wrong gaia. It was only when we modified GAIA to allow it to
write the rtd-remote file to a non-standard location that that stopped.
> bits of information you need to look in ~/.rtd-remote.
> I had assumed that this had permissions like 0600, but looking I see
> that mine is currently 0644. So anyone who can see my home disk
yep. access to the .rtd-remote file is all that is needed (and it even
tells you which host to use).
>> problem that TOPCAT was going to make this all trivial by popping up a
>> "please supply arbitrary code for GAIA to execute" popup?
>
> No, this facility won't be obvious to anybody who doesn't look quite
> carefully at various bits of documentation.
>
So the RMI port is the real issue.
> Well I don't mind adding this back in (it's a 3-liner) if you're
Let's see what Peter thinks but I'm willing to bet that it's only barely
more insecure than GAIA itself and the real trick would be to make gaia
restrict the messages it can receive.
--
Tim Jenness
JAC software
http://www.jach.hawaii.edu/~timj
|