Re: #10481: Hardening LyX against potential misuse

On Sun, Apr 02, 2017 at 02:57:58PM +0200, Tommaso Cucinotta wrote: > On 01/04/2017 07:12, Scott Kostyshak wrote: > > Tommaso, any thoughts? Even if you don't have time to implement > > something yourself, your opinion would be useful. > > Hi, > > AFAICR, boundary checks on existing fields of

Re: #10481: Hardening LyX against potential misuse

On 01/04/2017 07:12, Scott Kostyshak wrote: Tommaso, any thoughts? Even if you don't have time to implement something yourself, your opinion would be useful. Hi, AFAICR, boundary checks on existing fields of that form, like the converter file cache expiry time, are all independent/orthogonal

Re: #10481: Hardening LyX against potential misuse

On Sat, Jan 21, 2017 at 11:35:37PM -0500, Scott Kostyshak wrote: > On Sun, Dec 04, 2016 at 12:52:13PM -0500, Scott Kostyshak wrote: > > On Sun, Dec 04, 2016 at 06:06:57PM +0100, Tommaso Cucinotta wrote: > > > On 28/11/2016 00:42, Tommaso Cucinotta wrote: > > > > On 27/11/2016 13:52, Guillaume

Re: #10481: Hardening LyX against potential misuse

On 22/01/2017 05:13, Scott Kostyshak wrote: But I still think that the dialog should be an error, not a warning. There is 0% chance that the export was correct. To me this suggests an error. Tommaso, what are your thoughts? agree, see [eaa3ddaf/lyxgit]. Also, highlighted that it's a

Re: #10481: Hardening LyX against potential misuse

On Sun, Dec 04, 2016 at 12:52:13PM -0500, Scott Kostyshak wrote: > On Sun, Dec 04, 2016 at 06:06:57PM +0100, Tommaso Cucinotta wrote: > > On 28/11/2016 00:42, Tommaso Cucinotta wrote: > > > On 27/11/2016 13:52, Guillaume Munch wrote: > > > > * Converters>Security is located below the converter

Re: #10481: Hardening LyX against potential misuse

On Sun, Nov 27, 2016 at 01:16:13PM +0100, Guillaume Munch wrote: > > Also regarding the "first" warning (the "Launch of external converter is > > forbidden" warning, which is the one I'm referring to above), although I > > have not closely followed the conversation I have the following comment: >

Re: #10481: Hardening LyX against potential misuse

On 05/01/2017 20:15, Pavel Sanda wrote: Helge Hafting wrote: According to http://stackoverflow.com/questions/10937597/security-risks-of-gnuplot-web-interface , gnuplot can be built "safer" by disabling pipe operations. That leaves the unsafe commands "shell", "system" and "!", but a simple

Re: #10481: Hardening LyX against potential misuse

Helge Hafting wrote: > According to > http://stackoverflow.com/questions/10937597/security-risks-of-gnuplot-web-interface > > , > gnuplot can be built "safer" by disabling pipe operations. That leaves the > unsafe commands "shell", "system" and "!", but a simple shellscript using > "grep" can

Re: #10481: Hardening LyX against potential misuse

Den 17. des. 2016 00:14, skrev Pavel Sanda: Helge Hafting wrote: Protection will not be achieved in most cases, because users are used to While I agree with what you write in general about security, I do not think this is how things were implemented, so in 'most cases' you are wrong. 1.

Re: #10481: Hardening LyX against potential misuse

Den 15. des. 2016 21:13, skrev Tommaso Cucinotta: About chroot-ing, albeit seems doable to copy what a converter needs in the restricted root, eg, ldd gives you what dynlibs are needed, the problem stays with additional data the program might need, plus you need additional privileges to

Re: #10481: Hardening LyX against potential misuse

On Sun, Dec 18, 2016 at 12:06:02PM +0100, Kornel Benko wrote: > Am Sonntag, 18. Dezember 2016 um 05:39:05, schrieb Scott Kostyshak > > > On Mon, Nov 28, 2016 at 12:42:31AM +0100, Tommaso Cucinotta wrote: > > > > > what are further calls to converters? > > > > After 244de5d2,

Re: #10481: Hardening LyX against potential misuse

Am Sonntag, 18. Dezember 2016 um 05:39:05, schrieb Scott Kostyshak > On Mon, Nov 28, 2016 at 12:42:31AM +0100, Tommaso Cucinotta wrote: > > > what are further calls to converters? > > After 244de5d2, LyX crashes for me on "paste from LaTeX" and "paste from > HTML". To test,

Re: #10481: Hardening LyX against potential misuse

On Mon, Nov 28, 2016 at 12:42:31AM +0100, Tommaso Cucinotta wrote: > what are further calls to converters? After 244de5d2, LyX crashes for me on "paste from LaTeX" and "paste from HTML". To test, copy some plain text (don't copy from inside LyX because then "paste from LaTeX" will still do a

Re: #10481: Hardening LyX against potential misuse

Helge Hafting wrote: > Protection will not be achieved in most cases, because users are used to While I agree with what you write in general about security, I do not think this is how things were implemented, so in 'most cases' you are wrong. 1. Unless you do informed decision and go to the

Re: #10481: Hardening LyX against potential misuse

Le 15/12/16 à 21:13, Tommaso Cucinotta a écrit : On 13/12/2016 11:25, Helge Hafting wrote: that's why I'm looking into AppArmor instead, which is essentially a Seems like a good thing - especially the ability to prevent networking. No network - no LyX-based virus at least. we need both,

Re: #10481: Hardening LyX against potential misuse

On 13/12/2016 11:25, Helge Hafting wrote: that's why I'm looking into AppArmor instead, which is essentially a Seems like a good thing - especially the ability to prevent networking. No network - no LyX-based virus at least. we need both, file-system confinement and no networking, otherwise

Re: #10481: Hardening LyX against potential misuse

Den 13. des. 2016 00:06, skrev Tommaso Cucinotta: On 12/12/2016 12:04, Helge Hafting wrote: In the general case, make a script (or utility program) that runs the dangerous converter in a chroot, where nothing dangerous can be done. No need for questions then. LyX already puts the document

Re: #10481: Hardening LyX against potential misuse

On 12/12/2016 12:04, Helge Hafting wrote: In the general case, make a script (or utility program) that runs the dangerous converter in a chroot, where nothing dangerous can be done. No need for questions then. LyX already puts the document files in a temp directory so the cleanup after a latex

Re: #10481: Hardening LyX against potential misuse

On 13/12/2016 12:04 a.m., Helge Hafting wrote: I see a problem with this: Den 06. nov. 2016 20:57, skrev Tommaso Cucinotta: Converters marked with the new "needauth" option won't be run unless the user gives explicit authorization, which is asked on-demand when the converter

Re: #10481: Hardening LyX against potential misuse

I see a problem with this: Den 06. nov. 2016 20:57, skrev Tommaso Cucinotta: Converters marked with the new "needauth" option won't be run unless the user gives explicit authorization, which is asked on-demand when the converter is about to be run (question is not asked if the

Re: #10481: Hardening LyX against potential misuse

On 10/12/2016 19:58, Tommaso Cucinotta wrote: thanks! The most clear seems to me the 2nd one ("enrico-proposal") :-)! and, looking forward, the security box will likely add 2 items inside: -) the number of days authorizations granted by the user are going to last for (as discussed, to be

Re: #10481: Hardening LyX against potential misuse

On 10/12/2016 11:31, Enrico Forestieri wrote: On Sat, Dec 10, 2016 at 12:40:15AM +0100, Tommaso Cucinotta wrote: I confess I'm lost as to which layouts have been proposed for the converters prefs pane. Probably, having a few pics/snapshots comparing the options might be the best way to gather

Re: #10481: Hardening LyX against potential misuse

I confess I'm lost as to which layouts have been proposed for the converters prefs pane. Probably, having a few pics/snapshots comparing the options might be the best way to gather feedback from others. Thanks, T. On 07/12/2016 21:00, Enrico Forestieri wrote: On Wed, Dec 07, 2016

Re: #10481: Hardening LyX against potential misuse

On Fri, Dec 09, 2016 at 10:39:14AM +0100, Jean-Marc Lasgouttes wrote: > Le 07/12/2016 à 21:00, Enrico Forestieri a écrit : > > Why would you think that a proper implementation (if and when that will > > be performed) would need more space? However, please have a look at the > > attached patch,

Re: #10481: Hardening LyX against potential misuse

Le 07/12/2016 à 21:00, Enrico Forestieri a écrit : Why would you think that a proper implementation (if and when that will be performed) would need more space? However, please have a look at the attached patch, which leaves more space to the converters definitions. No need to revert f0f555b5, as

Re: #10481: Hardening LyX against potential misuse

Le 05/12/2016 à 08:53, Tommaso Cucinotta a écrit : On 04/12/2016 18:51, Guillaume Munch wrote: Le 04/12/2016 à 18:06, Tommaso Cucinotta a écrit : On 28/11/2016 00:42, Tommaso Cucinotta wrote: On 27/11/2016 13:52, Guillaume Munch wrote: * Converters>Security is located below the converter

Re: #10481: Hardening LyX against potential misuse

Le 05/12/2016 à 08:36, Tommaso Cucinotta a écrit : On 04/12/2016 18:37, Guillaume Munch wrote: If there are n graphics, then are there n dialogs when opening the file for the first time? it asks as many times as there are (uncached) graphics needing 'needauth' converters,unless you hit the

Re: #10481: Hardening LyX against potential misuse

On Wed, Dec 07, 2016 at 06:15:02PM +0100, Jean-Marc Lasgouttes wrote: > > Yes, your patch make the separation clearer (although I am not sure that I > like the oval rect). I thought it would have helped in distingushing the sections, but this is a mere detail. > But the fact that this converter

Re: #10481: Hardening LyX against potential misuse

Le 07/12/2016 à 17:01, Enrico Forestieri a écrit : On Wed, Dec 07, 2016 at 12:06:41PM +0100, Jean-Marc Lasgouttes wrote: I did not mean a security tab, but a "general" one that could contain: - converter file cache - security - overwrite on export (from Output|general) I don't like this

Re: #10481: Hardening LyX against potential misuse

On Wed, Dec 07, 2016 at 12:06:41PM +0100, Jean-Marc Lasgouttes wrote: > > I did not mean a security tab, but a "general" one that could contain: > > - converter file cache > - security > - overwrite on export (from Output|general) I don't like this further fragmentation. I like the fact that we

Re: #10481: Hardening LyX against potential misuse

Le 06/12/2016 à 17:37, Tommaso Cucinotta a écrit : Creating a separate prefs tab might be meaningful if we had more security settings not related exclusively to converters, but keeping things together within a single converters pane has the advantage of linking clearly the security checkboxes

Re: #10481: Hardening LyX against potential misuse

On Tue, Dec 06, 2016 at 10:57:56PM +0100, Tommaso Cucinotta wrote: > On 06/12/2016 20:44, Enrico Forestieri wrote: > > > From 8f157f2d3beb48ae87f9dcd07d59ee062a7a7da0 Mon Sep 17 00:00:00 2001 > > > From: Tommaso Cucinotta > > > Date: Mon, 28 Nov 2016 00:31:46 +0100 > > > Subject:

Re: #10481: Hardening LyX against potential misuse

On 06/12/2016 22:57, Tommaso Cucinotta wrote: right ... couldn't find a way to restore the shortcut, other than ... rollback :(, and apply a different UI clarification fix, would look like the attached, how would u see that? as we're at it, there was a clash in shortcuts for the new two

Re: #10481: Hardening LyX against potential misuse

On 06/12/2016 20:44, Enrico Forestieri wrote: From 8f157f2d3beb48ae87f9dcd07d59ee062a7a7da0 Mon Sep 17 00:00:00 2001 From: Tommaso Cucinotta Date: Mon, 28 Nov 2016 00:31:46 +0100 Subject: [PATCH] Converters Prefs UI layout clarification. [...] - - Converter

Re: #10481: Hardening LyX against potential misuse

On Mon, Nov 28, 2016 at 12:42:31AM +0100, Tommaso Cucinotta wrote: > From 8f157f2d3beb48ae87f9dcd07d59ee062a7a7da0 Mon Sep 17 00:00:00 2001 > From: Tommaso Cucinotta > Date: Mon, 28 Nov 2016 00:31:46 +0100 > Subject: [PATCH] Converters Prefs UI layout clarification. [...] > -

Re: #10481: Hardening LyX against potential misuse

On Tue, Dec 06, 2016 at 06:10:52PM +0100, Enrico Forestieri wrote: > On Tue, Dec 06, 2016 at 05:37:40PM +0100, Tommaso Cucinotta wrote: > > > > Creating a separate prefs tab might be meaningful if we had more security > > settings not related exclusively to converters, but keeping things > >

Re: #10481: Hardening LyX against potential misuse

On Tue, Dec 06, 2016 at 05:37:40PM +0100, Tommaso Cucinotta wrote: > > Creating a separate prefs tab might be meaningful if we had more security > settings not related exclusively to converters, but keeping things > together within a single converters pane has the advantage of linking > clearly

Re: #10481: Hardening LyX against potential misuse

On 05/12/2016 23:44, Scott Kostyshak wrote: With the "Converter Definitions" label now at the same highlight/logical level as "Converter File Cache" and "Security" ones, I think there is no more the confusionabout which options in the dialog are specific to a single converter. I still think it

Re: #10481: Hardening LyX against potential misuse

Le 06/12/2016 à 14:16, Enrico Forestieri a écrit : I still think it is confusing. What do you think about Guillaume's idea of placing the global options above the converter definitions? Note that the appearance also depends on the used Qt style. In the attached you can see that a frame is

Re: #10481: Hardening LyX against potential misuse

On Mon, Dec 05, 2016 at 05:44:46PM -0500, Scott Kostyshak wrote: > On Mon, Dec 05, 2016 at 08:53:58AM +0100, Tommaso Cucinotta wrote: > > > With the "Converter Definitions" label now at the same highlight/logical > > level > > as "Converter File Cache" and "Security" ones, I think there is no

Re: #10481: Hardening LyX against potential misuse

On Mon, Dec 05, 2016 at 08:53:58AM +0100, Tommaso Cucinotta wrote: > With the "Converter Definitions" label now at the same highlight/logical level > as "Converter File Cache" and "Security" ones, I think there is no more the > confusionabout which options in the dialog are specific to a single

Re: #10481: Hardening LyX against potential misuse

On 04/12/2016 18:37, Guillaume Munch wrote: If there are n graphics, then are there n dialogs when opening the file for the first time? it asks as many times as there are (uncached) graphics needing 'needauth' converters,unless you hit the "Run, and don't ask again for the same doc" button.

Re: #10481: Hardening LyX against potential misuse

Am Sonntag, 4. Dezember 2016 um 18:51:15, schrieb Guillaume Munch > Le 04/12/2016 à 18:06, Tommaso Cucinotta a écrit : > > On 28/11/2016 00:42, Tommaso Cucinotta wrote: > >> On 27/11/2016 13:52, Guillaume Munch wrote: > >>> * Converters>Security is located below the converter

Re: #10481: Hardening LyX against potential misuse

On Sun, Dec 04, 2016 at 06:06:57PM +0100, Tommaso Cucinotta wrote: > On 28/11/2016 00:42, Tommaso Cucinotta wrote: > > On 27/11/2016 13:52, Guillaume Munch wrote: > > > * Converters>Security is located below the converter configuration, > > > which leads to think that they are converter properties

Re: #10481: Hardening LyX against potential misuse

Le 04/12/2016 à 18:06, Tommaso Cucinotta a écrit : On 28/11/2016 00:42, Tommaso Cucinotta wrote: On 27/11/2016 13:52, Guillaume Munch wrote: * Converters>Security is located below the converter configuration, which leads to think that they are converter properties instead of global settings.

Re: #10481: Hardening LyX against potential misuse

Le 28/11/2016 à 00:42, Tommaso Cucinotta a écrit : eh eh, what about remembering 'needauth' (as well as cursor pos) only for those files in the recent files list :-), and collapse the 3 lists into a single one, and a single session section ? Two problems I see with this idea is that migrating

Re: #10481: Hardening LyX against potential misuse

On 28/11/2016 00:42, Tommaso Cucinotta wrote: On 27/11/2016 13:52, Guillaume Munch wrote: * Converters>Security is located below the converter configuration, which leads to think that they are converter properties instead of global settings. What about placing it above the converter list?

Re: #10481: Hardening LyX against potential misuse

On 27/11/2016 13:52, Guillaume Munch wrote: Hi Tommaso, Hi, [...] Making AppArmor work would be great too, but I suspect that it is going to be hard to have a configuration which is both secure and without hassle to the user, right, security comes often at a usability cost, hopefully we

Re: #10481: Hardening LyX against potential misuse

On Sun, Nov 27, 2016 at 01:52:20PM +0100, Guillaume Munch wrote: > * Converters>Security is located below the converter configuration, > which leads to think that they are converter properties instead of > global settings. What about placing it above the converter list? I noticed this also.

Re: #10481: Hardening LyX against potential misuse

Hi Tommaso, I have been following your work on this issue with interest. Thank you, this is something that was much needed. Making AppArmor work would be great too, but I suspect that it is going to be hard to have a configuration which is both secure and without hassle to the user, especially

Re: #10481: Hardening LyX against potential misuse

Le 25/11/2016 à 20:50, Scott Kostyshak a écrit : On Fri, Nov 25, 2016 at 02:32:37PM -0500, Scott Kostyshak wrote: I think the line-breaking in the warning dialog should be improved. The horizontal width is larger than my 13 in. screen. See attached. Note that the linebreaking on the *other*

Re: #10481: Hardening LyX against potential misuse

On 11/25/2016 05:49 PM, Tommaso Cucinotta wrote: > On 23/11/2016 01:11, Enrico Forestieri wrote: >> On Tue, Nov 22, 2016 at 11:59:37PM +0100, Tommaso Cucinotta wrote: >>> >>> There's a couple of TODOs left: >>> 1. versioning of the preferences file, I don't know much in this >>> area, the >>>

Re: #10481: Hardening LyX against potential misuse

On 23/11/2016 01:11, Enrico Forestieri wrote: On Tue, Nov 22, 2016 at 11:59:37PM +0100, Tommaso Cucinotta wrote: There's a couple of TODOs left: 1. versioning of the preferences file, I don't know much in this area, the patch adds a couple of preferences options, what else is needed? Have a

Re: #10481: Hardening LyX against potential misuse

On Fri, Nov 25, 2016 at 02:32:37PM -0500, Scott Kostyshak wrote: > On Wed, Nov 23, 2016 at 10:27:03PM +0100, Tommaso Cucinotta wrote: > > > Any further comment welcome, thanks! > > I think the line-breaking in the warning dialog should be improved. The > horizontal width is larger than my 13 in.

Re: #10481: Hardening LyX against potential misuse

On Wed, Nov 23, 2016 at 10:27:03PM +0100, Tommaso Cucinotta wrote: > > One note: one way to avoid the [auth session] section growing unbounded, > might be to have an expiry timestamp, so that e.g., authorizations would > expire in ~1y or so. This might be done with a section syntax like: > >

Re: #10481: Hardening LyX against potential misuse

On 11/23/2016 04:27 PM, Tommaso Cucinotta wrote: > On 23/11/2016 01:11, Enrico Forestieri wrote: >>> 1. versioning of the preferences file...what else is needed? >> >> Have a look at c2a18fc1 to get an idea. > > ok, thanks, do we need also anything else on the prefs2prefs side? If > not, do we

Re: #10481: Hardening LyX against potential misuse

On 23/11/2016 01:11, Enrico Forestieri wrote: 1. versioning of the preferences file...what else is needed? Have a look at c2a18fc1 to get an idea. ok, thanks, do we need also anything else on the prefs2prefs side? If not, do we actually need to bump up the prefs file version? What if a

Re: #10481: Hardening LyX against potential misuse

On Tue, Nov 22, 2016 at 11:59:37PM +0100, Tommaso Cucinotta wrote: > > There's a couple of TODOs left: > 1. versioning of the preferences file, I don't know much in this area, the > patch adds a couple of preferences options, what else is needed? Have a look at c2a18fc1 to get an idea. > 2.

Re: #10481: Hardening LyX against potential misuse

Hi, thanks Enrico & Pavel, hopefully all comments integrated in the pushed version. There's a couple of TODOs left: 1. versioning of the preferences file, I don't know much in this area, the patch adds a couple of preferences options, what else is needed? 2. persistent storage of the

Re: #10481: Hardening LyX against potential misuse

On Mon, Nov 21, 2016 at 05:50:45PM -0800, Pavel Sanda wrote: > Tommaso Cucinotta wrote: > > On 21/11/2016 01:49, LyX Ticket Tracker wrote: > >> Comment (by t.cucinotta): > >> > >> Just worked out new separate patch-set for the cross-OS needauth security > >> option for converters (asking users

Re: #10481: Hardening LyX against potential misuse

Tommaso Cucinotta wrote: > On 21/11/2016 01:49, LyX Ticket Tracker wrote: >> Comment (by t.cucinotta): >> >> Just worked out new separate patch-set for the cross-OS needauth security >> option for converters (asking users if they really know what they're >> about >> to be doing). Added further

Re: #10481: Hardening LyX against potential misuse

On 21/11/2016 01:49, LyX Ticket Tracker wrote: Comment (by t.cucinotta): Just worked out new separate patch-set for the cross-OS needauth security option for converters (asking users if they really know what they're about to be doing). Added further global option that forbids use anyway,

Re: #10481: Hardening LyX against potential misuse

On 07/11/2016 00:19, Richard Heck wrote: Questions: We're not supposed just to use "Yes" and "No", right? still missing the global option to suppress any questions (assume always yes or always no), and, I think also the persisting the chosen yes/no to disk (where? any hint? what about

Re: #10481: Hardening LyX against potential misuse

Questions: We're not supposed just to use "Yes" and "No", right? This changes the format of some file or other. Which one? Is this a format change in the relevant sense of "master only"? > diff --git a/src/Converter.cpp b/src/Converter.cpp > index 58e486e6..02631ca4 100644 > ---

Re: #10481: Hardening LyX against potential misuse

last patch attached. T. On 06/11/2016 20:56, LyX Ticket Tracker wrote: #10481: Hardening LyX against potential misuse -+-- Reporter: t.cucinotta | Owner: lasgouttes Type: enhancement | Status: new Priority: highest

Re: #10481: Hardening LyX against potential misuse

forgot to attach the patch. T. On 05/11/2016 02:34, LyX Ticket Tracker wrote: #10481: Hardening LyX against potential misuse -+-- Reporter: t.cucinotta | Owner: lasgouttes Type: enhancement | Status: new Priority:

Re: #10481: Hardening LyX against potential misuse

On 11/04/2016 08:20 PM, Tommaso Cucinotta wrote: > On 05/11/2016 01:16, LyX Ticket Tracker wrote: >> Attached a first attempt at JMarc's proposed user prompt. > > here's the patch, for on-list discussion if preferred. > @@ -402,6 +405,18 @@ bool Converters::convert(Buffer const * buffer, >

Re: #10481: Hardening LyX against potential misuse

On 05/11/2016 01:16, LyX Ticket Tracker wrote: Attached a first attempt at JMarc's proposed user prompt. here's the patch, for on-list discussion if preferred. T. commit 2c24f0e0 Author: Tommaso Cucinotta Date: Sat Nov 5 01:00:44 2016 +0100 Add needauth option