Tomas G. Rokicki wrote:
> Dvips has *always* searched in the current directory first for virtually
> all files, config files, tfm files, vf files, figure files, header files,
> etc. So all the blame on that goes to me. This was intended as a
> feature; users sometimes want to override something, much like TeX
> searches for input files starting in the current directory and then
> moving on to the system directories and so on.
>
>>From a security standpoint, this is clearly bad, as you say. But I'm
> not sure disabling search for config files in . is, at this point,
> a great solution. I'm sure many people use this extensively, and
> we will totally break them if we make this change. For instance, what
> about .dvipsrc, which is *intended* as a place for the user to specify
> default config options for dvips, and it is searched for in $HOME,
> which is often the current working directory of people running dvips
> as well?
>
> Man, what a mess.
>
IMHO depends what is run as root and what isn't. From the point of view
of where a file is written but the output, the same things affecting dvips
affects tex, latex, etc.; now not talking about buffer overruns which recently
affected old dvips, but from point of view of pipes, if a user takes a whatever
.tar.gz file, which contains .dvipsrc or config.ps containing
o |rm -rf / (or o |rm -rf ~)
and runs the dvips file.dvi, is like telling him to execute a shell script
containing "rm -rf /". The only difference is that it's not expected
that producing or printing a .dvi file could wipe out your home system
if running as root (either for output or in a special like
\special{psfile=`rm -rf /2}).
So from point of view of security default dvips configuration should
be the one allowing to:
1) protect files of non privileged users and also let him to work
without to many security complicances. This can be achieved disabling pipes (or
restricting only to a set of fixed commands [e.g. just lp, lpr for -o, and
'convert' for specials]). And not letting non-privileged users' per $HOME config
files or other options to override when PIPES were disabled in main config file
(of course they can turn off if pipes are by default enabled in main config
file). On the other hand the most common output to pipes are just to lpr or lp
(sometimes gv) and some converter (ImageMagick) or gzip for producing ps files
in "psfile=" specials). For gzip, honestly, with current hard disk sizes not
much people are compressing single .ps files... (also because they have then to
provide manual BBoxes).
2) protect the system when dvips run as root as filter. The filters should have
options to let all the pipes disabled.
Bye.
Giuseppe.
