[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#316154: [tex-live] Re: Bug#316154: texmf.cfg: Close possible security problem



Frank Küster wrote:
Dear Thomas, dear TeXLive people,

in Debian bug report we have been asked to change the setting of
openin_any in texmf.cnf:


Joachim Breitner <nomeata@debian.org> wrote:


the shipped /etc/texmf/texmf.cfg has the following lines:

openout_any = p
openin_any = a

While the first line is so far ok, the second line means, that any LaTeX
code run on this machine has read-access like the user it runs as, that
includes /etc/passwd, ~/.ssh/id_rsa, ~/other_sensitive_file.

This by itself is no problem, but it is actually quite easy to make a
user compile mal LaTeX code and make him send you the file before he has
a look at it or, using some TeX-magick, make the read text not visible
(white on white, or very small...).

sure, but if we start assuming that kind of tex usage we're lost anyway; just as i don't open those 'watch this nice jpg picture' i will not run a tex file from someone i don't know (unless posted on a mailing list, but then i look into teh file anyway); the tex file suffix is more likely bound to editing than to processing

This is also a problem for i.e. webservices, that include LaTeX
capabilities.


Is there a specific reason why this is set to `a' by default, except
that in the old times people were friendly and peaceful ;-)?

setting it to anything else can be a pain for users; apart from many messages, files are not seen; (keep in mind that the main audience for tex live is users who just want to use tex, not to hack config files)

those who run tex in web apps can take care of themselves and tweak the config file; they may want to isolate tex in more ways than only opening files; (the average unix box is set up so that users can read lots of files and i see no reason to make tex more restrictive);

Hans

-----------------------------------------------------------------
                                          Hans Hagen | PRAGMA ADE
              Ridderstraat 27 | 8061 GH Hasselt | The Netherlands
     tel: 038 477 53 69 | fax: 038 477 53 74 | www.pragma-ade.com
                                             | www.pragma-pod.nl
-----------------------------------------------------------------




Reply to: