Tomas G. Rokicki wrote:
>>only config files in "trusted paths" can be used for external commands etc.
>
>
> Sounds like we're getting closer to Perl's taint mode.
>
> In any case, this is the sort of thing we'd have to depend on
> kpathsea to provide, right? I don't see that happening in this
> release. Yet, not allowing
>
> o !lpr -P foo
>
> in a configuration file due to security restrictions is disappointing.
>
> Note that dvips *does* use the current directory in most of its search
> paths, so anyone can drop a config.ps as part of a dvi tarball that
> will be picked up by dvips. (Which is another issue, since security
> can be disabled in the config.ps, which is why originally dvips would
> never let you turn security *off* in config.ps . . .)
>
> Arghhh.
>
> -tom
>
Tomas G. Rokicki wrote:
>>only config files in "trusted paths" can be used for external commands etc.
>
>
> Sounds like we're getting closer to Perl's taint mode.
>
> In any case, this is the sort of thing we'd have to depend on
> kpathsea to provide, right? I don't see that happening in this
> release. Yet, not allowing
>
> o !lpr -P foo
>
> in a configuration file due to security restrictions is disappointing.
>
> Note that dvips *does* use the current directory in most of its search
> paths, so anyone can drop a config.ps as part of a dvi tarball that
> will be picked up by dvips. (Which is another issue, since security
> can be disabled in the config.ps, which is why originally dvips would
> never let you turn security *off* in config.ps . . .)
>
> Arghhh.
>
> -tom
>
And wouldn't be possible to have the security of pipe in specials
separated from security of pipe in output (-o)?
Furthermore in output pipe we could have different level of security,
so to have both tex users as well as unix sysadmin happy (the latter
mainly because dvips is for instance used in some printer filter which could run
with root privileges):
1) allow pipe output to any command
2) allow pipe output but only to a fixed set of commands (fixed in the sources
and not modifiable in further config files: e.g. only /usr/bin/lp [in case of
running cups or SysV] and /usr/bin/lpr).
3) don't allow any output to a pipe, but only to files
4) don't allow any output to a pipe
[and for special backtick, only allow a common set of commands at
a fixed path, e.g. convert from ImageMagick]
Bye.
Giuseppe.
- Re: 20030112 breaks dvips -o "|lpr" Robin Fairbairns
- Re: 20030112 breaks dvips -o "|lpr" Harald Koenig
- Re: 20030112 breaks dvips -o "|lpr" David Kastrup
- Re: 20030112 breaks dvips -o "|lpr" Thomas Esser
- Re: 20030112 breaks dvips -o "|lpr" Tomas G. Rokicki
- Re: 20030112 breaks dvips -o "|lpr" Thomas Esser
- Re: 20030112 breaks dvips -o "|lpr" Harald Koenig
- Re: 20030112 breaks dvips -o "|lpr" David Kastrup
- Re: 20030112 breaks dvips -o "|lpr" Tomas G. Rokicki
- Re: 20030112 breaks dvips -o "|lpr" Olaf Weber
- Re: 20030112 breaks dvips -o "|lpr" Giuseppe Ghibò
- Re: 20030112 breaks dvips -o "|lpr" David Kastrup
- Re: 20030112 breaks dvips -o "|lpr" Reinhard Kotucha
- Re: 20030112 breaks dvips -o "|lpr"... Giuseppe Ghibò
- Re: 20030112 breaks dvips -o "|lpr"... Tim Waugh
- Re: 20030112 breaks dvips -o "|lpr"... Harald Koenig
- Re: 20030112 breaks dvips -o "|lpr" Tomas G. Rokicki
- Re: 20030112 breaks dvips -o "|lpr" David Kastrup
- Re: 20030112 breaks dvips -o "|lpr" Giuseppe Ghibò
- Re: 20030112 breaks dvips -o "|lpr" David Kastrup
- Re: 20030112 breaks dvips -o "|lpr"... Thomas Esser
