Peter Münster wrote: > On Mon, Nov 10 2008, Yue Wang wrote: >>> As to the live, I think a patched Lua file (loslib.c) can solve this >>> problem: >>> remove the line >>> {"execute", os_execute}, >>> in the static const luaL_Reg syslib[]. >>> >> Moreover, if we do that, ConTeXt will not adapt to the "stripped down" >> LuaTeX. >> For example, mtxrun.lua contains many functions which depend on >> os.execute, and it even created some synonames as well: >> if not os.exec then os.exec = os.execute end >> if not os.spawn then os.spawn = os.execute end >> So, a simple line removal is not sufficient. > > LuaTeX (and TeX/ConTeXt in general) is not compatible with security. The > cache for example must be writable for everyone. In my opinion, the only > options for live.contextgarden.net are: > - just don't care, if there is a problem, restore from backup > - chroot jail > - virtual machine with virtual disk in non-persistent mode (at boot time > the disk is always a fresh installation) > - perhaps some other ideas... > > But adding security to LuaTeX seems to me too much work (a lot of > exceptions, heavy security audit, problems with cache, problems with > compatibility, and so on...).
there are provisions in mkiv to turn off os.execute etc in a tex run; since we have mplib embedded, there is not much reason for os.execute anyway so i can consider a --secure switch for mtx-context ----------------------------------------------------------------- Hans Hagen | PRAGMA ADE Ridderstraat 27 | 8061 GH Hasselt | The Netherlands tel: 038 477 53 69 | fax: 038 477 53 74 | www.pragma-ade.com | www.pragma-pod.nl ----------------------------------------------------------------- ___________________________________________________________________________________ If your question is of interest to others as well, please add an entry to the Wiki! maillist : ntg-context@ntg.nl / http://www.ntg.nl/mailman/listinfo/ntg-context webpage : http://www.pragma-ade.nl / http://tex.aanhet.net archive : https://foundry.supelec.fr/projects/contextrev/ wiki : http://contextgarden.net ___________________________________________________________________________________