Re: running Gnome apps on an ssh session

["Thomas Ward" <tward1978 earthlink net>]

I certainly do see the problem with security, but it would certainly be nice
to run gnome apps as sudo or su and have access to them rather than having
to log all the way out of Gnome and back in as root to do one small thing.
Prier to this last post I had wondered why everytime I ran gedit as root via
sudo to edit some conf file gnopernicus would go dead and not speak until
the sudo instance of gedit was quit.

----- Original Message -----
From: "Bill Haneman" <Bill Haneman Sun COM>
To: <gnome-accessibility-list gnome org>
Sent: Saturday, January 22, 2005 4:51 PM
Subject: Re: running Gnome apps on an ssh session


> Kenny asked:
>
> >Hi.  Is this documented in bug reports?  If not, what packages need bug
> >reports filed against them?
> >
> >
> I've filed RFEs 164941 for bonobo-activation (remote activation) and
> 164942 for at-spi (remote application communication with
> at-spi-registryd).  The two are inter-related.
>
> There are some interesting questions raised here, and it's not entirely
> obvious what the best approach is.  We could, for instance, move away
> from bonobo-activation for the registry, and use an X-display-based
> technique such as stringifying the IOR in an X atom in order to locate
> the appropriate at-spi-registryd instance.  This would turn our
> per-user/host AT-SPI registry into a per-DISPLAY registration - however
> there may be some security implications in doing so.
>
> The issue of what to do about applications sharing the same display, but
> owned by different users, is even trickier, and arises when, for
> instance, a user runs an application which needs root privilege, such as
> the set-date-and-time utility.  Some such applications run the GUI as
> root too, which prevents them from connecting with the user's at-spi
> registry.  In general, one doesn't want other users to have access to
> one another's accessibility APIs because it violates the usual
> user-based security model - particular when they may be running as root.
>
> Bill
>
> >          Kenny
> >
> >
>
>
>
> >On Fri, Jan 21, 2005 at 06:42:45PM +0000, Bill Haneman wrote:
> >
> >
> >>Hi Kenny:
> >>
> >>Accessibility for remote GNOME apps is still on the roadmap.  Because
> >>the accessibility framework uses CORBA, it works in theory, but in
> >>practice, the bonobo-activation mechanism which GNOME uses to register
> >>with the at-spi registry is tied to localhost.  So the missing link is a
> >>remote bonobo-activation; once you have that, the rest should fall into
> >>place.
> >>
> >>So it's a known issue that this doesn't work yet, but making it work,
> >>though it will require some new code, should not be a big effort.
> >>
> >>Here are some technical details:
> >>
> >>1) applications load an accessibility bridge at startup, and register
> >>with the accessibility registry (at-spi-registryd) via
> >>bonobo-activation.  Due to current limitations in bonobo-activation,
> >>this registry is per-user-host, not per-display.
> >>
> >>2) the 'application instance' which is reported to the registry is
> >>network-transparent, i.e. it could be local or remote.  Once the
> >>registry, or an assistive technology, receives a reference to a remote
> >>application, it can communicate with it just as though it were local
> >>(though possibly more slowly).
> >>
> >>
> >>- Bill
> >>_______________________________________________
> >>gnome-accessibility-list mailing list
> >>gnome-accessibility-list gnome org
> >>http://mail.gnome.org/mailman/listinfo/gnome-accessibility-list
> >>
> >>
> >
> >
> >------------------------------
> >
> >_______________________________________________
> >gnome-accessibility-list mailing list
> >gnome-accessibility-list gnome org
> >http://mail.gnome.org/mailman/listinfo/gnome-accessibility-list
> >
> >
> >End of gnome-accessibility-list Digest, Vol 9, Issue 7
> >******************************************************
> >
> >
>
> _______________________________________________
> gnome-accessibility-list mailing list
> gnome-accessibility-list gnome org
> http://mail.gnome.org/mailman/listinfo/gnome-accessibility-list