Re: Silent/automatic execution of converter and needauth, concrete questions to clarify my understanding
On 23/07/2017 22:08, Christian Ridderström wrote: Are the settings that needauth remember done: a) per document, regardless of converter b) per document-and-converter pair? c) Also per snippet of code? it's only a), but pls keep in mind this is only for those (few) converters tagged with the 'needauth' option in configure.py. The rationale is that trust should be an issue with new docs never seen/compiled earlier only. What would it mean to trust Sweave insets in this doc, but NOT Gnuplot insets ? If I don't trust the document, then I should keep the warning every time a potentially harmful converter is attempted to be run. On the other hand, once I'm sure this is the doc I was expecting from my colleague, and I trust him/her, then it will be safe to authorize any converter in that doc. E.g., what happens if I'm keeping a document on say a network drive. I put some code in the document and execute it. When asked by needauth the first time, I say "always allow for the document". So the next time I execute the document I'm not asked again. What happens now if someone else modifies the code embedded in the document? Will the permission(s) still be active, so that the document executes the new code? Am I warned in any way? no further warning happens here: that's to facilitate collaborative editing with colleagues: once I said I trust that pathname, then if I check out (git pull) a change from my colleagues, I don't want to be bugged again and again about risks. On the other hand, if I don't trust the folks I'm co-editing a .lyx doc with (which I assume to be a very very unlikely use-case), then I should never check that box saying "Never ask me again for the same doc". Perhaps a variant could be that, even when I don't say "Never ask me again", if I authorize the use of a converter on a specific .lyx filename, then any further use of the same converter on the same file with the same time-stamp could be allowed without further questions to the user ? If not, perhaps a future improvement could be to be able to approve specific code snippets to be executed. The user-dir could e.g. contain a hash of code snippets that's approved to be run for a certain document. Or perhaps even for all kinds of documents. I'd be for keeping track of possible enhancements like this to 'needauth' as individual Trac items, to be linked to http://www.lyx.org/trac/ticket/10481 T.
Re: Silent/automatic execution of converter and needauth, concrete questions to clarify my understanding
On Tue, Jul 25, 2017 at 12:13:05AM +0200, Tommaso Cucinotta wrote: > On 18/07/2017 00:49, Guillaume MM wrote: > > (Another one is if the path is ~/Download/new1.lyx and you happen to > > have given permanent permissions for a file with the same path three > > years earlier, deleted and forgotten about since...) > > there's been discussion during the needauth development about an expiry time > for the per-document authorization > > http://www.lyx.org/trac/ticket/10481 > > perhaps we should recover that add-on as a separate #, and give it a proper > priority ? +1 Scott signature.asc Description: PGP signature
Re: Silent/automatic execution of converter and needauth, concrete questions to clarify my understanding
On 18/07/2017 00:49, Guillaume MM wrote: (Another one is if the path is ~/Download/new1.lyx and you happen to have given permanent permissions for a file with the same path three years earlier, deleted and forgotten about since...) there's been discussion during the needauth development about an expiry time for the per-document authorization http://www.lyx.org/trac/ticket/10481 perhaps we should recover that add-on as a separate #, and give it a proper priority ? Thanks, T.
Re: Silent/automatic execution of converter and needauth, concrete questions to clarify my understanding
On 18 July 2017 at 09:06, Scott Kostyshakwrote: > On Mon, Jul 17, 2017 at 11:53:38PM +0200, Christian Ridderström wrote: > >> A) In LyX 2.2.x, if I open the document, no "converters" are executed. But >> when I attempt to generate the PDF, the document could via e.g. 'R' execute >> arbitrary code on my computer, as if it were my user account. And this >> would happen silently, with no warning etc. >> Correct? > > Yes. > >> But what would happen if I used LyX 2.3.0alphaX and tried to build the >> document? > > Guillaume gave a more detailed answer. The quick answer is that with the > defaults of 2.3.0alpha1-1, you would be prompted before the R code was > run. Thanks, it's clearer now. Are the settings that needauth remember done: a) per document, regardless of converter b) per document-and-converter pair? c) Also per snippet of code? E.g., what happens if I'm keeping a document on say a network drive. I put some code in the document and execute it. When asked by needauth the first time, I say "always allow for the document". So the next time I execute the document I'm not asked again. What happens now if someone else modifies the code embedded in the document? Will the permission(s) still be active, so that the document executes the new code? Am I warned in any way? If not, perhaps a future improvement could be to be able to approve specific code snippets to be executed. The user-dir could e.g. contain a hash of code snippets that's approved to be run for a certain document. Or perhaps even for all kinds of documents. /Christian PS. Heh.. maybe we could use Git to store approved/disapproved code snippets as it's a content based filesystem.
Re: Silent/automatic execution of converter and needauth, concrete questions to clarify my understanding
On Mon, Jul 17, 2017 at 11:53:38PM +0200, Christian Ridderström wrote: > A) In LyX 2.2.x, if I open the document, no "converters" are executed. But > when I attempt to generate the PDF, the document could via e.g. 'R' execute > arbitrary code on my computer, as if it were my user account. And this > would happen silently, with no warning etc. > Correct? Yes. > But what would happen if I used LyX 2.3.0alphaX and tried to build the > document? Guillaume gave a more detailed answer. The quick answer is that with the defaults of 2.3.0alpha1-1, you would be prompted before the R code was run. Scott
Re: Silent/automatic execution of converter and needauth, concrete questions to clarify my understanding
Le 17/07/2017 à 23:53, Christian Ridderström a écrit : Hi, I've gotten lots of information from Enrico and Guillaume related to the security "gap", but I'd like to boil it down to simpler questions to make the situation clear to me. Assume that I've gotten a LyX document by e-mail. It was not created by me, but let's say that the sender of the e-mail appears to be from a colleague whom I trust, asking me to do him a favour and generate a PDF because his computer is acting up. It's urgent of course... A) In LyX 2.2.x, if I open the document, no "converters" are executed. But when I attempt to generate the PDF, the document could via e.g. 'R' execute arbitrary code on my computer, as if it were my user account. And this would happen silently, with no warning etc. Correct? But what would happen if I used LyX 2.3.0alphaX and tried to build the document? B) Would LyX still allow the document to run arbitrary code on my computer? Depends on your needauth settings. * Never (default for a new install): no, and an error message tells you to change the needauth settings before you can proceed. * Enable and ask: first you get a message asking to authorise the converter (every time or only the first time depending on whether you chose "allow" or "always allow for the document"). * Disabled: like in 2.2. Note that currently all this and the below appears to hold as well for gnuplot previews, so one does not need to compile to PDF, just to open a file (this was not the case in 2.2). C) Would the execution still happen "silently"? In two cases: * Enable and ask: if you previously clicked "always for the document". * Disabled: it always happens silently. D) Can the above happen with a document completely created by someone else? In one case: * Disabled (Another one is if the path is ~/Download/new1.lyx and you happen to have given permanent permissions for a file with the same path three years earlier, deleted and forgotten about since...) Guillaume