Re: Bug#37606: /var/spool/texmf/ls-R unwritable
> Glad to hear all of this. I just have one comment:
>
> > - The mktexlsr, mktexdir and mktexupd scripts must not be setuid.
> > If they are, anyone could run them, which is unnecessary. Any
> > extra privileges they require will be gained when they are called
> > from other setuid processes.
>
> It seems to me that *only* these three should be setuid, since only
> these three need elevated privileges. mktextfm, etc. should be
> changed to write the output into a scratch directory, and have
> mktexupd move it into place.
>
> Yes, this does mean anyone can invoke them, but if properly designed
> no damage can be done, and this restricts the scope of the changes and
> the scope of the specially privileged code much better.
No, absolutely not. If mktexupd is setuid, then anyone can make it do
anything to the ls-R file, I would guess. And having mktex{mf,tfm,pk}
writing to a scratch directory defeats the purpose of making the fonts
directory read only, as anyone could then create a corrupt font file
in the scratch directory and run mktexupd. The mktexupd program is
essentially only used in two situations: (1) when called from
mktex{mf,tfm,pk} and (2) when called from texconfig or a postinst. In
the latter situations, it will be running as root if it is doing
anything useful, and all that must be done in that case is to ensure
that the ownership of the ls-R files is unchanged. This is not too
difficult to arrange if you are running as root!
Julian
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Julian Gilbey, Dept of Maths, QMW, Univ. of London. J.D.Gilbey@qmw.ac.uk
Debian GNU/Linux Developer. jdg@debian.org
-*- Finger jdg@master.debian.org for my PGP public key. -*-
Reply to: