On 29.06.05 Richard Lewis ([EMAIL PROTECTED]) wrote:
> Joachim Breitner <[EMAIL PROTECTED]> writes:
Hi,
> > the shipped /etc/texmf/texmf.cfg has the following lines:
> >
> > openout_any = p
> > openin_any = a
> >
> > While the first line is so far ok, the second line means, that
> > any LaTeX code run on this machine has read-access like the user
> > it runs as, that includes /etc/passwd, ~/.ssh/id_rsa,
> > ~/other_sensitive_file.
>
> > Changeing the line to
> > openin_any = p
> > solves this problem.
>
> You could use openin_any = r which just disallows opening dotfiles.
> But in any case I think this is a social problem rather than a
> software problem (you could just as easily send the user a shell
> script for them to run and send you the output (which could be
> encrypted or a postscript file as in the original example), as cat
> will happily access any file you can read, but i dont see people
> calling cat insecure!)
>
Well, calling any unchecked code with Admin permissions is insecure.
Joachim, based on this statement, do you agree that this is not
really a bug, but rather wishlist or can even be closed? Anybody
needing more security than the normal texmf.cnf provides can change
that file himself.
Regards,
Hilmar
--
The college graduate is presented with a sheepskin to cover his
intellectual nakedness.
-- Robert M. Hutchins
http://hilmarpreusse.forum-rheinland.de/
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
