Olaf Weber writes: > christoph martin writes: > > [EMAIL PROTECTED] writes: > > >> Package: tetex-base > >> Version: 0.9-7 > >> > >> When the user first hits an ungenerated font then "permission denied" > >> messages are plentiful... :) > > > The fonts get generated correctly, but it is a security problem to let > > everybody write the ls-R file. > > But how much of a security risk is it? It would mean a normal user > could clobber the file if he wanted to, which is a kind of denial of > service attack. But are there any other risks?
A normal user could replace the file with a link to some other file say /vmlinuz or a file in another user homedir. Then if root or this other user tries to write ls-R he/she would write to /vmlinuz or other files. BTW it is Debian policy to not have word-writable files. > > And how do those risks compare with the ability to base a denial of > service attack on /var/cache/fonts (or whatever you call it) being > world-writable? (mode 1777) Here you can only write to files which you yourself have created. > > > TeX can find the generated fonts even without them noted in the ls-R > > file. But to speed it up they can be in the ls-R file. For this reason > > there is a cronjob every day which updates the ls-R files. > > Note that it is possible to create a texmf.cnf which ensures that > generated fonts not mentioned in the ls-R file _won't_ be found. Just > use !! in the definition of VARTEXFONTS. If you want this you can do it, but it is not standard. Christoph -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
