Re: Silent/automatic execution of converter and needauth, concrete questions to clarify my understanding

[Tommaso Cucinotta]

On 23/07/2017 22:08, Christian Ridderström wrote:

Are the settings that needauth remember done:
a) per document, regardless of converter
b) per document-and-converter pair?
c) Also per snippet of code?


it's only a), but pls keep in mind this is only for those (few) converters 
tagged with the 'needauth' option in configure.py.

The rationale is that trust should be an issue with new docs never 
seen/compiled earlier only. What would it mean to trust Sweave insets in this 
doc, but NOT Gnuplot insets ? If I don't trust the document, then I should keep 
the warning every time a potentially harmful converter is attempted to be run. 
On the other hand, once I'm sure this is the doc I was expecting from my 
colleague, and I trust him/her, then it will be safe to authorize any converter 
in that doc.


E.g., what happens if I'm keeping a document on say a network drive. I
put some code in the document and execute it. When asked by needauth
the first time, I say "always allow for the document".   So the next
time I execute the document I'm not asked again.

What happens now if someone else modifies the code embedded in the
document?  Will the permission(s) still be active, so that the
document executes the new code?  Am I warned in any way?


no further warning happens here: that's to facilitate collaborative editing with 
colleagues: once I said I trust that pathname, then if I check out (git pull) a change 
from my colleagues, I don't want to be bugged again and again about risks. On the other 
hand, if I don't trust the folks I'm co-editing a .lyx doc with (which I assume to be a 
very very unlikely use-case), then I should never check that box saying "Never ask 
me again for the same doc".

Perhaps a variant could be that, even when I don't say "Never ask me again", if 
I authorize the use of a converter on a specific .lyx filename, then any further use of 
the same converter on the same file with the same time-stamp could be allowed without 
further questions to the user ?


If not, perhaps a future improvement could be to be able to approve
specific code snippets to be executed.
The user-dir could e.g. contain a hash of code snippets that's
approved to be run for a certain document. Or perhaps even for all
kinds of documents.


I'd be for keeping track of possible enhancements like this to 'needauth' as 
individual Trac items, to be linked to

  http://www.lyx.org/trac/ticket/10481

T.

Re: Silent/automatic execution of converter and needauth, concrete questions to clarify my understanding

[Scott Kostyshak]

On Tue, Jul 25, 2017 at 12:13:05AM +0200, Tommaso Cucinotta wrote:
> On 18/07/2017 00:49, Guillaume MM wrote:
> > (Another one is if the path is ~/Download/new1.lyx and you happen to
> > have given permanent permissions for a file with the same path three
> > years earlier, deleted and forgotten about since...)
> 
> there's been discussion during the needauth development about an expiry time 
> for the per-document authorization
> 
>   http://www.lyx.org/trac/ticket/10481
> 
> perhaps we should recover that add-on as a separate #, and give it a proper 
> priority ?

+1

Scott


signature.asc
Description: PGP signature

Re: Silent/automatic execution of converter and needauth, concrete questions to clarify my understanding

[Tommaso Cucinotta]

On 18/07/2017 00:49, Guillaume MM wrote:

(Another one is if the path is ~/Download/new1.lyx and you happen to
have given permanent permissions for a file with the same path three
years earlier, deleted and forgotten about since...)


there's been discussion during the needauth development about an expiry time 
for the per-document authorization

  http://www.lyx.org/trac/ticket/10481

perhaps we should recover that add-on as a separate #, and give it a proper 
priority ?

Thanks,

T.

Re: Silent/automatic execution of converter and needauth, concrete questions to clarify my understanding

[Christian Ridderström]

On 18 July 2017 at 09:06, Scott Kostyshak  wrote:
> On Mon, Jul 17, 2017 at 11:53:38PM +0200, Christian Ridderström wrote:
>
>> A) In LyX 2.2.x, if I open the document, no "converters" are executed. But
>> when I attempt to generate the PDF, the document could via e.g. 'R' execute
>> arbitrary code on my computer, as if it were my user account. And this
>> would happen silently, with no warning etc.
>> Correct?
>
> Yes.
>
>> But what would happen if I used LyX 2.3.0alphaX and tried to build the
>> document?
>
> Guillaume gave a more detailed answer. The quick answer is that with the
> defaults of 2.3.0alpha1-1, you would be prompted before the R code was
> run.

Thanks, it's clearer now.

Are the settings that needauth remember done:
a) per document, regardless of converter
b) per document-and-converter pair?
c) Also per snippet of code?

E.g., what happens if I'm keeping a document on say a network drive. I
put some code in the document and execute it. When asked by needauth
the first time, I say "always allow for the document".   So the next
time I execute the document I'm not asked again.

What happens now if someone else modifies the code embedded in the
document?  Will the permission(s) still be active, so that the
document executes the new code?  Am I warned in any way?

If not, perhaps a future improvement could be to be able to approve
specific code snippets to be executed.
The user-dir could e.g. contain a hash of code snippets that's
approved to be run for a certain document. Or perhaps even for all
kinds of documents.
/Christian

PS. Heh.. maybe we could use Git to store approved/disapproved code
snippets as it's a content based filesystem.

Re: Silent/automatic execution of converter and needauth, concrete questions to clarify my understanding

[Scott Kostyshak]

On Mon, Jul 17, 2017 at 11:53:38PM +0200, Christian Ridderström wrote:

> A) In LyX 2.2.x, if I open the document, no "converters" are executed. But
> when I attempt to generate the PDF, the document could via e.g. 'R' execute
> arbitrary code on my computer, as if it were my user account. And this
> would happen silently, with no warning etc.
> Correct?

Yes.

> But what would happen if I used LyX 2.3.0alphaX and tried to build the
> document?

Guillaume gave a more detailed answer. The quick answer is that with the
defaults of 2.3.0alpha1-1, you would be prompted before the R code was
run.

Scott

Re: Silent/automatic execution of converter and needauth, concrete questions to clarify my understanding

[Guillaume MM]

Le 17/07/2017 à 23:53, Christian Ridderström a écrit :

Hi,

I've gotten lots of information from Enrico and Guillaume related to the 
security "gap", but I'd like to boil it down to simpler questions to 
make the situation clear to me.


Assume that I've gotten a LyX document by e-mail. It was not created by 
me, but let's say that the sender of the e-mail appears to be from a 
colleague whom I trust, asking me to do him a favour and generate a PDF 
because his computer is acting up. It's urgent of course...


A) In LyX 2.2.x, if I open the document, no "converters" are executed. 
But when I attempt to generate the PDF, the document could via e.g. 'R' 
execute arbitrary code on my computer, as if it were my user account. 
And this would happen silently, with no warning etc.

Correct?

But what would happen if I used LyX 2.3.0alphaX and tried to build the 
document?

B) Would LyX still allow the document to run arbitrary code on my computer?


Depends on your needauth settings.
* Never (default for a new install): no, and an error message tells you
to change the needauth settings before you can proceed.
* Enable and ask: first you get a message asking to authorise the
converter (every time or only the first time depending on whether you
chose "allow" or "always allow for the document").
* Disabled: like in 2.2.

Note that currently all this and the below appears to hold as well for
gnuplot previews, so one does not need to compile to PDF, just to open a
file (this was not the case in 2.2).



C) Would the execution still happen "silently"?


In two cases:
* Enable and ask: if you previously clicked "always for the document".
* Disabled: it always happens silently.



D) Can the above happen with a document completely created by someone else?


In one case:
* Disabled

(Another one is if the path is ~/Download/new1.lyx and you happen to
have given permanent permissions for a file with the same path three
years earlier, deleted and forgotten about since...)


Guillaume