[tex-live] Re: Bug#316154: texmf.cfg: Close possible security problem

Hans Hagen pragma at wxs.nl
Wed Jun 29 09:54:48 CEST 2005


Frank Küster wrote:
> Dear Thomas, dear TeXLive people,
> 
> in Debian bug report we have been asked to change the setting of
> openin_any in texmf.cnf:
> 
> 
> Joachim Breitner <nomeata at debian.org> wrote:
> 
> 
>>the shipped /etc/texmf/texmf.cfg has the following lines:
>>
>>openout_any = p
>>openin_any = a
>>
>>While the first line is so far ok, the second line means, that any LaTeX
>>code run on this machine has read-access like the user it runs as, that
>>includes /etc/passwd, ~/.ssh/id_rsa, ~/other_sensitive_file.
>>
>>This by itself is no problem, but it is actually quite easy to make a
>>user compile mal LaTeX code and make him send you the file before he has
>>a look at it or, using some TeX-magick, make the read text not visible
>>(white on white, or very small...).

sure, but if we start assuming that kind of tex usage we're lost anyway; just as 
i don't open those 'watch this nice jpg picture' i will not run a tex file from 
someone i don't know (unless posted on a mailing list, but then i look into teh 
file anyway); the tex file suffix is more likely bound to editing than to 
processing

>>This is also a problem for i.e. webservices, that include LaTeX
>>capabilities.
> 
> 
> Is there a specific reason why this is set to `a' by default, except
> that in the old times people were friendly and peaceful ;-)?

setting it to anything else can be a pain for users; apart from many messages, 
files are not seen; (keep in mind that the main audience for tex live is users 
who just want to use tex, not to hack config files)

those who run tex in web apps can take care of themselves and tweak the config 
file; they may want to isolate tex in more ways than only opening files; (the 
average unix box is set up so that users can read lots of files and i see no 
reason to make tex more restrictive);

Hans

-----------------------------------------------------------------
                                           Hans Hagen | PRAGMA ADE
               Ridderstraat 27 | 8061 GH Hasselt | The Netherlands
      tel: 038 477 53 69 | fax: 038 477 53 74 | www.pragma-ade.com
                                              | www.pragma-pod.nl
-----------------------------------------------------------------



More information about the tex-live mailing list