Re: Can shell-escape take advantage of needauth framework?
On Wed, Jun 28, 2017 at 02:36:49PM +0200, Guillaume MM wrote: > + Specificity: only gnuplot is given elevated privileges, which is what > the user wants. So, what? A system("whatever you want here") can be issued from a gnuplot script. Then, one could say about shell-escape: + Specificity: only latex is given elevated privileges, which is what the user wants. Please, stop hypocrisy. -- Enrico
Re: Can shell-escape take advantage of needauth framework?
Le 27/06/2017 à 21:00, Scott Kostyshak a écrit : Where I think there is disagreement is on whether we take a paternalistic approach of "are you sure you know what you're doing? Think very hard about this before you do it" or a lax approach of allowing users to shoot themselves in the foot. Should we treat LyX users like teenagers or adults? I really don't know the answer. I am in favour of treating lyx users like adults. To me, this means not reinventing the wheel and follow established guidelines. See e.g. https://developer.apple.com/library/content/documentation/Security/Conceptual/SecureCodingGuide/Articles/AppInterfaces.html and the paper they mention which has a lot of examples. I agree that it is late in the process, and indeed that does make stronger the proposal of "let's just revert". But this issue is not the only one holding up beta1. When we make progress on the other issues, if this one is still hanging in the air and we cannot agree on what to do, then we might need to move on and revert. My opinion is that we're not there yet. What is your schedule in either case for implementing and testing the changes?
Re: Can shell-escape take advantage of needauth framework?
Le 27/06/2017 à 23:45, Tommaso Cucinotta a écrit : needauth was a urgently needed mitigation of the security issues behind running arbitrary external tools when compiling LyX documents; a more engineered remedy AFAICR was actually the use of sandboxing machineries, which was prototyped on Ubuntu/Linux using AppArmor. This is also what I remember. The now secured converters were sweave and knitr, introduced in 2011 and 2012. I see that you have also introduced a gnuplot converter with an example. + Proportionality: unsafety is actually a main feature of gnuplot from what I understand from http://www.yqcomputer.com/320_2475_1.htm + Specificity: only gnuplot is given elevated privileges, which is what the user wants. - UI problem 1: When I open the example, I immediately get the needauth dialog for showing the preview. I thought we only wanted unsafe execution when compiling the document. - UI problem 2: If I have N scripts in the document, I am asked N times and must press no N times. It misses a "Never execute" button. This is in addition to other needauth shortcomings in its current state already mentioned. It seems to me that needauth, as it is, is not ready for the addition of gnuplot. What do you think? Guillaume