[tex-k] Re: tetex-base: dvips default output and security settings
need clarification
Frank Küster
frank at kuesterei.ch
Fri Apr 23 14:54:20 CEST 2004
Dear TeX-k Team,
here's an other suggestion from our Debian Bugtracking system, regarding
both documentation and a source code fix. As for the changes to
config.ps, I have attached a patch below, which you might find useful.
Regards, Frank
Matthew Swift <swift at alum.mit.edu> wrote:
> Package: tetex-base
> Version: 2.0-1
> Severity: normal
>
> There are several things to improve about the default output and default
> security settings of dvips.
>
> (1) Dvips.info (actually in tetex-bin not tetex-base) says this:
>
> `-R'
> Run securely. This disables shell command execution in `\special'
> (via ``', *note Dynamic creation of graphics::) and config files
> (via the `E' option, *note Configuration file commands::), pipes as
> output files, and opening of any absolute filenames.
>
> But it is no longer true that setting -R (or in config file `z1') disables
> output to a pipe. I also cannot find where in the sources the loading of
> absolute filenames is prohibited by secure=1, so that probably also should be
> corrected -- either to implement it or to remove the claim that it is
> implemented.
>
> There is one exception, when __DJGPP__ is defined in output.c. This is
> probably a bug that should be forwarded upstream out of courtesy, although it
> does not affect Debian. I think if secure=1 and __DJGPP__ is defined and
> output is sent to a pipe, the program will fail without any kind of error
> message.
>
> (2) The comments regarding `z*' and `o' in config.ps could be clearer.
> Suggestions are below. This was more of a problem before in the version
> before tetex-2.0.
>
> (3) Dvips.info documentation of the "o" configuration file option has a typo:
>
> `o NAME'
> Send output to NAME. Same as `-', *note Option details::. In the
> file `config.foo', a setting like this is probably appropriate:
>
> The should be `-o' not `-' in the second sentence.
>
> --------------------------
>
> In config.ps:
>
> Existing:
>
> % Execution of external programs is disabled by default. Set
> % to z0 if you want backticks in \special commands enabled.
> z1
>
> % How to print, maybe with lp instead lpr, etc. If commented-out, output
> % will go into a file by default.
> % o |lpr
>
> What it should be (and this also exlains z* better):
>
> % A setting of `z1' inhibits execution of shell commands in `\special's
> % and via the `E' option in config files like this one.
> % Dvips permits these operations by default or with an explit setting of `z0'.
> % Debian GNU/Linux inhibits these operations by default with the setting `z1' here.
> z1
>
> % Where dvips output should go by default. If unspecified, output goes to a file.
> % To send output via a pipe directly to a printing program such as `lpr',
> % use a line like one of the following two:
> % o |lpr
> % o |lpr -Pmyprinter
> % To send output to standard-output by default, use:
> % o -
>
Here's the patch:
--- texmf/dvips/config/config.ps.orig Fri Apr 23 14:29:36 2004
+++ texmf/dvips/config/config.ps Fri Apr 23 14:31:20 2004
@@ -7,13 +7,19 @@
% to determine this number. (It will be the only thing printed.)
m 3500000
-% Execution of external programs is disabled by default. Set
-% to z0 if you want backticks in \special commands enabled.
+% A setting of `z1' inhibits execution of shell commands in `\special's
+% and via the `E' option in config files like this one ("secure mode").
+% Dvips permits these operations by default or with an explit setting of `z0'.
+% Debian GNU/Linux inhibits these operations by default with the setting `z1' here.
z1
-% How to print, maybe with lp instead lpr, etc. If commented-out, output
-% will go into a file by default.
-o |lpr
+% Where dvips output should go by default. If unspecified, output goes to a file.
+% To send output via a pipe directly to a printing program such as `lpr' or 'lp',
+% use a line like one of the following two:
+% o |lpr
+% o |lpr -Pmyprinter
+% To send output to standard-output by default, use:
+% o -
% Default resolution of this device, in dots per inch.
D 600
--
Frank Küster, Biozentrum der Univ. Basel
Abt. Biophysikalische Chemie
More information about the tex-k
mailing list