[tex-live] Re: [tex-k] secure mode of dvips should be default

Reinhard Kotucha reinhard@kammer.uni-hannover.de
Sun, 3 Jun 2001 01:47:36 +0200

>>>>> "Julian" == Julian Gilbey <J.D.Gilbey@qmw.ac.uk> writes:

    > What would be really nice would be three levels of security:

    > -R0 no external commands executed

    > -R1 only trusted commands executed, such as gs (it shouldn't be
    > two hard for the wizards to come up with such a list of commonly
    > used commands, and they should be called directly, not via a
    > shell, to avoid the possibility of shell tricks)

    > -R2 pass any `command special to a shell to handle

Good idea!  It certainly would confuse users if dvips wouldn't behave
as it does now.

Probably it would be best if this could be configured in texmf.cnf
rather than in all the config.<device> files.  There are two variables
concerning security.  AFAIK, they are used by TeX only.

It might be more difficult to implement, but I think that such a
variable could be used by xdvi as well.

A list of trusted commands should not be compiled into the binaries,
texmf.cnf is a more appropriate place.

Sebastian, it would be worth some thoughts whether the change you have
made should really go into TeXLive6.  TeXLive is a CDROM distribution
and is used by many people who do not have internet access.  They
cannot simply ask someone if something doesn't work as usual.  They
expect that things work as described in i.e. The LaTeX Graphics
Companion, which says that dvips can process gzipped eps files.

In my opinion, it's better to implement the idea of trusted commands
first.  We haved lived whith this security hole for years, it would
certainly be ok if TeXLive7 comes up with a better scheme.

Furthermore, I think that it doesn't make any sense to change the
default behaviour at all.  If I get a dvi file that contains shell
escapes, what should I do?  The dvi format is not human readable,
should I throw it away or should I run dvips in insecure mode?
The author of the file probably did nothing that isn't documented.
Does the error message I get show me the content of the \special?
That would be necessary.

I do not see any better solution than the concept of trusted commands.


Reinhard Kotucha			               Phone: +49-511-751355
Berggartenstr. 9
D-30419 Hannover	              mailto:reinhard@kammer.uni-hannover.de
Microsoft isn't the answer. Microsoft is the question, and the answer is NO.