Re: Bug#37606: /var/spool/texmf/ls-R unwritable

To: zack@rabi.columbia.edu (Zack Weinberg)
Cc: J.D.Gilbey@qmw.ac.uk, debian-devel@lists.debian.org
Subject: Re: Bug#37606: /var/spool/texmf/ls-R unwritable
From: Julian Gilbey <J.D.Gilbey@qmw.ac.uk>
Date: Tue, 18 May 1999 00:25:42 +0100 (BST)
Message-id: <[🔎] E10jWlS-00010p-00@polya>
In-reply-to: <[🔎] 199905162121.RAA28326@blastula.phys.columbia.edu> from Zack Weinberg at "May 16, 1999 5:21:44 pm"

> The main reason I didn't want to have mktex{mf,tfm,pk} be setuid is
> because they run all sorts of different programs - metafont, gsftopk,
> etc. - which can (IIRC) be replaced by the user.  Even if they can't,
> their inputs can, and the inputs are turing-complete macro languages.
> If mktex{mf,tfm,pk} drop privileges before invoking the real generator
> programs, I'll be happy.

I don't think it would work to drop privileges before starting up the
generator programs -- that would defeat the point.  But what must be
done is: clear the environment, reset PATH to something known and
secure and setuid(geteuid()).  The combined effect of the first and
third of these would also result in the texmf search paths being
unaffected by anything that the user might do, which is crucially
important.  Resetting PATH prevents the user from getting their own
programs into the works.  And the fact that this will run as a
dedicated user (tex) means that if there were any security holes, the
worst that could be done is to interfere with the generated fonts,
which would be hardly worse than the present situation.  And
hopefully, the result will be secure, and then we are a lot better
off.

> I would also rather not install suidperl if it can be avoided.

I had realised that from other people's postings on another issue.
It's something I'm thinking about, but my ideas on how to write these
scripts as setuid scripts (even with a wrapper) are still in pre-alpha
stage.  Part of the difficulty is that the Web2C system allows the
binaries to be installed anywhere.  I have to ensure that the PATH
contains the correct directory if both (1) the script is running
setuid and (2) the directory of the script is not /usr(/local)/bin.
I'm thinking about it....

   Julian

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

  Julian Gilbey, Dept of Maths, QMW, Univ. of London. J.D.Gilbey@qmw.ac.uk
             Debian GNU/Linux Developer.  jdg@debian.org
       -*- Finger jdg@master.debian.org for my PGP public key. -*-

Reply to:

References:
- Re: Bug#37606: /var/spool/texmf/ls-R unwritable
  - From: Zack Weinberg <zack@rabi.columbia.edu>

Prev by Date: Re: better /etc/init.d/network
Next by Date: Re: jdk not working in potato, working jdk removed from incoming, license problem
Previous by thread: Re: Bug#37606: /var/spool/texmf/ls-R unwritable
Next by thread: Please adopt: prc-tools
Index(es):
- Date
- Thread