On 2017-07-18, Christian Ridderström wrote: > If I had to use a converter that requires e.g. shell-escape perhaps the > approach below would be useful. What problems do you see with it?
> 1) Use two lyx user directories, one standard and one "dangerous", with > converters using shell-escape only in the dangerous lyx. > 2) Create a tiny shell script or a desktop icon etc to launch "dangerous" > lyx using the "dangerous" user dir. > 3) Configure dangerous lyx to have a reddish background colour. > 4) By default work in the regular lyx and only use the dangerous lyx > for documents where converters are needed. As an alternative, you could define a separate converter for "insecure latex": 1) Under Tools>Preferences>File Handling>File Formats define a new format, e.g. "PDF (pdflatex with shell escape)" 2) Under Tools>Preferences>File Handling>Converters define a converter from LaTeX (pdflatex) to the new format. 3) Use this new converter via the toolbar or menu for files requiring write18 shell access. > Justification: > The 1) allows me to have converters permanently configured in a dangerous > mode, and through 4) I select in which mode I work. The 4) also reduces > risk exposure as I should not open documents from strangers in the > dangerous lyx. There is one possible drawback in the alternative: if an attacker knows about my converter and its name, he/she may set it as default format in the document. Therefore, I don't propose this a workaround to ship with LyX. > The 2) makes it easy for me to launch the dangerous lyx. I've actually used > this approach for a requirements tool, to open it in a special mode. The separate converter * bypasses the need for an extra directory and script, and * allows to postpone the decision whether shell escape should be allowed until the very view/export action. > The 3) makes it clear to me in which LyX I'm working. In the alternative, selecting a non-default export/view format instead of the simple default is a constant reminder of the added risk. Alternatively, in a secure environment documents requiring write18 may set the default format accordingly. > By working as per above I'm reducing exposure and don't have to worry about > shell-escape in normal documents. ditto. > PS. Documentation wise, I don't think it'd be that difficult to explain how > it's done. I don't think we should document this on a very prominent place. Instead, these approaches could be recommended as more secure alternatives at places suggesting to add shell-escape unconditionally. Günter