tech-pkg: Re: bsetroot in {black,open}box

Subject: Re: bsetroot in {black,open}box
To: Jan Schaumann <jschauma@netmeister.org>
From: Greg A. Woods <woods@weird.com>
List: tech-pkg
Date: 11/20/2002 21:18:51
[ On Wednesday, November 20, 2002 at 20:28:42 (-0500), Jan Schaumann wrote: ]
> Subject: Re: bsetroot in {black,open}box
>
> A theme in blackbox (or openbox) is a single text file, which describes
> the attributes of the windows.  It also includes a line specifying what
> to do about the root-window, in partiuclar, it may contain a command
> that is executed -- this command is _intended_ to set the background,
> but could possibly be used to execute *any* command.
> 
> Since it's used to set the background in virtually all themes, these
> themes actually do call, *literally*, "bsetroot <args>".  If the
> command 'bsetroot' does not exist (b/c it has been renamed to
> 'foobox-bsetroot'), the theme will not work.

OK, so these window managers do indeed have a very badly designed
framework for controlling their appearance via their "themes", just as I
feared.  They allow the theme to specify an actual command to be run
instead of more properly requiring that it specify just the desired
result in an implementation independent manner.

However assuming all themes do exactly as you say and literally say
"bsetroot" and pass it some parameters then the problem can be fixed
such that the window manager directly interprets this command and
translates it into whatever it wants (incuding just internally doing the
work itself, though that would bloat the wm with infrequently used code
I suppose).

Of course such a fix is probably beyond the realm of pkgsrc unless
someone wants to pioneer it and propose it as a fix to both pkgsrc and
the original maintainers which both resolves what could be considered to
be a rather serious security flaw; as well as being a fix to the
filename collision issue which started this thread.

I personally would think that would be a good security fix for pkgsrc to
maintain regardless of what the original code maintainers do.  Even I
sometimes download "themes" for various programs without expecting that
they can specify arbitrary code to be run (and yes, I do even try to
avoid browser themes that include Java$ript :-).

Personally I'm going to just mark in my local pkgsrc that blackbox and
all the other blackbox-derived window managers are broken due to this,
and thus not install them on any of my machines.  :-)

-- 
								Greg A. Woods

+1 416 218-0098;            <g.a.woods@ieee.org>;           <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>