Bug#181065: tetex-base: dvips default output and security settings need clarification
Package: tetex-base
Version: 2.0-1
Severity: normal
There are several things to improve about the default output and default
security settings of dvips.
(1) Dvips.info (actually in tetex-bin not tetex-base) says this:
`-R'
Run securely. This disables shell command execution in `\special'
(via ``', *note Dynamic creation of graphics::) and config files
(via the `E' option, *note Configuration file commands::), pipes as
output files, and opening of any absolute filenames.
But it is no longer true that setting -R (or in config file `z1') disables
output to a pipe. I also cannot find where in the sources the loading of
absolute filenames is prohibited by secure=1, so that probably also should be
corrected -- either to implement it or to remove the claim that it is
implemented.
There is one exception, when __DJGPP__ is defined in output.c. This is
probably a bug that should be forwarded upstream out of courtesy, although it
does not affect Debian. I think if secure=1 and __DJGPP__ is defined and
output is sent to a pipe, the program will fail without any kind of error
message.
(2) The comments regarding `z*' and `o' in config.ps could be clearer.
Suggestions are below. This was more of a problem before in the version
before tetex-2.0.
(3) Dvips.info documentation of the "o" configuration file option has a typo:
`o NAME'
Send output to NAME. Same as `-', *note Option details::. In the
file `config.foo', a setting like this is probably appropriate:
The should be `-o' not `-' in the second sentence.
--------------------------
In config.ps:
Existing:
% Execution of external programs is disabled by default. Set
% to z0 if you want backticks in \special commands enabled.
z1
% How to print, maybe with lp instead lpr, etc. If commented-out, output
% will go into a file by default.
% o |lpr
What it should be (and this also exlains z* better):
% A setting of `z1' inhibits execution of shell commands in `\special's
% and via the `E' option in config files like this one.
% Dvips permits these operations by default or with an explit setting of `z0'.
% Debian GNU/Linux inhibits these operations by default with the setting `z1' here.
z1
% Where dvips output should go by default. If unspecified, output goes to a file.
% To send output via a pipe directly to a printing program such as `lpr',
% use a line like one of the following two:
% o |lpr
% o |lpr -Pmyprinter
% To send output to standard-output by default, use:
% o -
-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux beth 2.4.20 #1 Fri Jan 31 16:26:56 EST 2003 i686
Locale: LANG=C, LC_CTYPE=C
Versions of packages tetex-base depends on:
ii debconf 1.2.21 Debian configuration management sy
ii dpkg 1.10.9 Package maintenance system for Deb
ii texinfo 4.2-1 Documentation system for on-line i
-- debconf information excluded
Reply to: