> The main reason I didn't want to have mktex{mf,tfm,pk} be setuid is > because they run all sorts of different programs - metafont, gsftopk, > etc. - which can (IIRC) be replaced by the user. Even if they can't, > their inputs can, and the inputs are turing-complete macro languages. > If mktex{mf,tfm,pk} drop privileges before invoking the real generator > programs, I'll be happy.
I don't think it would work to drop privileges before starting up the generator programs -- that would defeat the point. But what must be done is: clear the environment, reset PATH to something known and secure and setuid(geteuid()). The combined effect of the first and third of these would also result in the texmf search paths being unaffected by anything that the user might do, which is crucially important. Resetting PATH prevents the user from getting their own programs into the works. And the fact that this will run as a dedicated user (tex) means that if there were any security holes, the worst that could be done is to interfere with the generated fonts, which would be hardly worse than the present situation. And hopefully, the result will be secure, and then we are a lot better off. > I would also rather not install suidperl if it can be avoided. I had realised that from other people's postings on another issue. It's something I'm thinking about, but my ideas on how to write these scripts as setuid scripts (even with a wrapper) are still in pre-alpha stage. Part of the difficulty is that the Web2C system allows the binaries to be installed anywhere. I have to ensure that the PATH contains the correct directory if both (1) the script is running setuid and (2) the directory of the script is not /usr(/local)/bin. I'm thinking about it.... Julian =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Julian Gilbey, Dept of Maths, QMW, Univ. of London. [EMAIL PROTECTED] Debian GNU/Linux Developer. [EMAIL PROTECTED] -*- Finger [EMAIL PROTECTED] for my PGP public key. -*-