in the previous months, I was using the new ROOT functionality of opening the TBrowser (running remotely on lxplus ) in my local computer using ssh port forwarding (since it is way more efficient). I recently found out the security issue that disabled this feature, and I was wondering if there is a working recipe for making it work again safely.
I tried both with my custom ssh configuration and rootssh command, with no results.
Best,
Tommaso
ROOT Version: 6.30/05 Platform: Red Hat Enterprise Linux 9.3 Compiler: GCC 13.1.0
Because of security issue several things were changed in 6.30.04 release:
“classical” TBrowser is used by default
--web flag was deactivated for root executable
loopback device (127.0.0.1) really used by default for all web widgets
main exploit of RBrowser via reconnect to it is now not possible
In such configuration usage of web-widgets on private notebooks/desktops should be secure.
This also true if web-widgets used on public nodes like lxplus via rootssh utility -
while there unix sockets with restricted access are involved.
But while no any user authentication is implemented in 6.30.xx versions,
we advise that web widgets should be used only by experienced peoples who can ensure:
nobody else can login on there desktop/notebook and try to exploit ROOT webgui
use rootssh and onlyrootssh when working on remote nodes
To enable again web-based widgets (RBrowser, RGeomViewer, TWebCanvas), one has to
call gROOT->SetWebDisplay() in ROOT prompt. Like:
[shell] root -l
root [0] gROOT->SetWebDisplay()
root [1] new TBrowser
Same is true when working on remote nodes via rootssh. Just do:
At the same time we already have solution which involves user authentication and data packets signings, which should exclude possibility of none-authorized access to ROOT application. This should be merged soon into master branch and will appear in 6.32 version ROOT where RBrowser will be default again.
Dear Sergey @linev,
thanks for your reply! Waiting for the new updates, I will cautiously use this solution, which works.
Just an additional point: on lxplus9, the default ROOT version (6.30/02) is not compiled for using these features (the above-mentioned procedure fails). For now, I use cvmfs external ROOT versions (via LCG), but of course using this on the system version would make things easier.