Hi Tommaso,
I have been following your work on this issue with interest. Thank you, this is something that was much needed. Making AppArmor work would be great too, but I suspect that it is going to be hard to have a configuration which is both secure and without hassle to the user, especially since with security there can be no half-measure, and unrestricted read access can be an issue too. Still any experiment with it is good. Further comments below. Le 23/11/2016 à 22:27, Tommaso Cucinotta a écrit :
One note: one way to avoid the [auth session] section growing unbounded, might be to have an expiry timestamp, so that e.g., authorizations would expire in ~1y or so. This might be done with a section syntax like: <timestamp> <filename> instead of the simple <filename> we have now.
Could that be used to fix #10310 as well? See https://www.mail-archive.com/lyx-devel@lists.lyx.org/msg195888.html
Any further comment welcome, thanks!
* Please see the attached patch for a few suggestions (more concise, a few corrections, html formatting, no checkbox). (Using html much improves readability, but then the html appears in the console output. I have a solution for this if you choose this route.) * Please try to avoid lines longer than 80 characters. * "dangerous, including deleting files": it has been a while that computer virus are created to do much worse than deleting files... * Converters>Security is located below the converter configuration, which leads to think that they are converter properties instead of global settings. What about placing it above the converter list? * It would be nice to be able to edit the needauth flag from the converters settings. * What happens if a needauth converter is called during instant preview? Could that happen? And during graphics display? Thanks again. Guillaume
diff --git a/src/Converter.cpp b/src/Converter.cpp index 14b18dd..e596b3d 100644 --- a/src/Converter.cpp +++ b/src/Converter.cpp @@ -283,29 +283,40 @@ bool Converters::checkAuth(Converter const & conv, string const & doc_fname) { if (!conv.need_auth()) return true; - const docstring security_warning = bformat(_("Requested operation needs use of converter '%1$s' from %2$s to %3$s, " - "which is tagged with the 'needauth' option. This is an external program normally acting as a picture/format " - "converter, but which is known to be able to execute arbitrary actions on the system on behalf of the user, " - "including dangerous ones such as deleting files, if instructed to do so by a maliciously crafted .lyx document."), - from_utf8(conv.command()), from_utf8(conv.from()), from_utf8(conv.to())); + const docstring security_warning = bformat( + _("<p>The requested operation requires the use of a converter from " + "%2$s to %3$s:" + "<blockquote><tt>%1$s</tt></blockquote>" + "<p>This external program can execute arbitrary commands on your " + "system, including dangerous ones, if instructed to do so by a " + "maliciously crafted .lyx document.</p>"), + from_utf8(conv.command()), from_utf8(conv.from()), + from_utf8(conv.to())); if (lyxrc.use_converter_needauth_forbidden) { - frontend::Alert::warning(_("Launch of external converter is forbidden"), security_warning + _("\n\n" - "This is forbidden by default. In order to unlock execution of these converters, please, go to\n" - "Preferences->File Handling->Converters and uncheck Security->Forbid needauth converters."), true); + frontend::Alert::warning( + _("An external converter is disabled for security reasons"), + security_warning + _( + "<p>Your current settings forbid its execution.</p>" + "<p>(To change this setting, go to <i>Preferences ▹ File " + "Handling ▹ Converters</i> and uncheck <i>Security ▹ " + "Forbid needauth converters</i>.)"), false); return false; } if (!lyxrc.use_converter_needauth) return true; - static const docstring security_title = _("Launch of external converter needs user authorization"); + static const docstring security_title = + _("An external converter requires your authorization"); int choice; - const docstring security_warning2 = security_warning + _("\n\nWould you like to run the converter?\n\n" - "ANSWER RUN ONLY IF YOU TRUST THE ORIGIN/SENDER OF THE LYX DOCUMENT!"); + const docstring security_warning2 = security_warning + + _("<p>Would you like to run this converter?</p>" + "<p><b>Only run if you trust the origin/sender of the LyX " + "document!</b></p>"); if (!doc_fname.empty()) { LYXERR(Debug::FILES, "looking up: " << doc_fname); std::set<std::string> & auth_files = theSession().authFiles().authFiles(); if (auth_files.find(doc_fname) == auth_files.end()) { choice = frontend::Alert::prompt(security_title, security_warning2, - 0, 0, _("Do &NOT run"), _("&Run"), _("&Always run for this document")); + 0, 0, _("Do ¬ run"), _("&Run"), _("&Always run for this document")); if (choice == 2) auth_files.insert(doc_fname); } else { @@ -313,7 +324,7 @@ bool Converters::checkAuth(Converter const & conv, string const & doc_fname) } } else { choice = frontend::Alert::prompt(security_title, security_warning2, - 0, 0, _("Do &NOT run"), _("&Run")); + 0, 0, _("Do ¬ run"), _("&Run")); } return choice != 0; }