[tex-live] Re: Bug#316154: texmf.cfg: Close possible security problem

Frank Küster frank at debian.org
Wed Jun 29 09:28:48 CEST 2005


Dear Thomas, dear TeXLive people,

in Debian bug report we have been asked to change the setting of
openin_any in texmf.cnf:


Joachim Breitner <nomeata at debian.org> wrote:

> the shipped /etc/texmf/texmf.cfg has the following lines:
>
> openout_any = p
> openin_any = a
>
> While the first line is so far ok, the second line means, that any LaTeX
> code run on this machine has read-access like the user it runs as, that
> includes /etc/passwd, ~/.ssh/id_rsa, ~/other_sensitive_file.
>
> This by itself is no problem, but it is actually quite easy to make a
> user compile mal LaTeX code and make him send you the file before he has
> a look at it or, using some TeX-magick, make the read text not visible
> (white on white, or very small...).
>
> This is also a problem for i.e. webservices, that include LaTeX
> capabilities.

Is there a specific reason why this is set to `a' by default, except
that in the old times people were friendly and peaceful ;-)?

TIA, Frank
-- 
Frank Küster
Inst. f. Biochemie der Univ. Zürich
Debian Developer



More information about the tex-live mailing list