On Tue, Jul 27, 1999 at 05:06:25PM +1000, Allan Rae wrote:
>
> Yes, on both counts (smart .layout files and extending LyX's capabilities
> -- think plugins). But someone somewhere is likely to argue that they
> should be able to incorporate such an extension into a document -- or to
> have the ability to bundle local extensions with a document to share with
> others. And thus we're faced with a potential macro-virus issue.
The reason macro viruses exist is that Micro$oft's Official Corporate
Policy is identical to the raison d'etre of the Borg. The difference
between the two is that the Borg is technically adept, while Micro$oft
is mostly incompetent.
This is why you can take the M$ equivalent of a self-executing,
suid-root shell script, put it into a document, and have the M$
equivalent of Emacs or Ghostscript automatically execute that embedded
script as soon as the file is read.
My little analogy should demonstrate why "scripting language != Macro
Virus" in the Unix world. Only a blithering idiot would intentionally
design a program to auto-execute anything whatsoever. I'd like to
think that we on the LyX Team are not idiots. ;)
Seriously, though, the easy way to deal with scripts/macros is to take
a lesson from the protocol world. (I'm my employer's local expert on
SNMP, btw...) Here are some ideas:
1) There will be two kinds of scripts: userspace/macro and
kernelspace/config.
2) User-scripts will be "walled-off" from the underlying OS.
Example: a user script can save an existing file, but cannot
use save-as. Hell, we could go one further and forbid saves,
making instead a special save that keeps numbered backups a-la
emacs (you did know that emacs can keep numbered backups,
didn't you?). Executing shell commands from a script would
similarly be forbidden. (Perhaps even executing one macro from
another could also be forbidden?)
3) LyX running suid-root cannot execute User-scripts. Perhaps it
should even be unable to write files...
4) There shall not be any auto-execute mechanism for
User-scripts. They must be executed explicitly, either from
within LyX or using a commandline option. Commandline-executed
scripts running LyX in its noninteractive mode would have
additional restrictions.
5) Config-scripts would be things like the .lyxrc, the bind files,
the *.layout files, and special feature/extension scripts.
6) This is where we take a lesson from the protocol world: each
class/type of Config-script would use a restricted version of
the general scripting language we chose (whatever that ends up
being):
a) bind files, rc-files, and .layout files *cannot* write to
disk.
b) bind files, rc-files, and .layout files *cannot* modify the
buffer.
...and so on.
Sorry, the train is getting close to my stop. I'll have to cut myself
off. Tawk amongst yourselves.
--
John Weiss
On a train, someplace between Brewster and White Plains...