Den 13. des. 2016 00:06, skrev Tommaso Cucinotta:
On 12/12/2016 12:04, Helge Hafting wrote:
In the general case, make a script (or utility program) that runs the
dangerous converter in a chroot, where nothing dangerous can be done.
No need for questions then. LyX already puts the document files in a
temp directory so the cleanup after a latex run will be easier.
chrooting before running a converter means the converter can't
overwrite files outside the chroot, which helps quite a bit
security-wise.
unfortunately, chroot-ing also makes the system inaccessible/invisible,
Yes. Necessary software must be available in a chroot, possibly in the
form of "bin" and "lib" folders containing hardlinks to software the
"dangerous" utility is allowed to use. Most software can be made
available this way, since the user has no right to overwrite the
binaries - and the binaries can't be used to overwrite random user files
because of the chroot.
that's why I'm looking into AppArmor instead, which is essentially a
Seems like a good thing - especially the ability to prevent networking.
No network - no LyX-based virus at least. Trashing files in a chroot is
less of a problem.
"chroot on steroids". However, AA is more difficult to get right, and
it will work "out of the box" only on a limited set of distros.
On the other hand, the immediate, always working across any OS and
portable security mitigation (to possible threats/viruses starting
to spread as lyx docs), is the one to show up a dialog and ask the
user -- I know, it's reminding all of us of smth, but also please
remember that it won't show up always, rather only if you're using
a fewselected converters.
As for batch conversions, we could have an option (even a LyX-wide
option)
saying --assume-yes or--assume-no or similar, that would actually prevent
any question to be asked.
If it really is only a few select converters that are not likely to be
widely used - then the few users are probably experts who know when to
say "yes".
Unfortunately - if a LyX virus becomes possible for "those that say
yes", then such a virus can be launched against people with no interest
in those few converters. They'll have no idea what's going on, and
they'll click through the warnings 'as usual' and spread the virus.
Crisis will be averted mostly due to low LyX market share.
I wonder, if AppArmor solves this problem for distros that have it -
then perhaps AA should be a mandatory dependency for these few
converters? If you want that converter - you get a working AA setup first?
I hope future LyX won't be asking security questions most people
can't answer with any confidence. I might be able to answer such
questions; but only if I review the sw in question, which I certainly
won't have time for.
thanks for your honest opinion, Helge. Please, remember you can disable
these security settings from the already added preferences options, if
you feel these are just productivity stoppers.
The problem I see, is that the game is lost already if security
questions have to be asked. The questions can be turned off for
convenience, but that is just as dangerous as blindly clicking through.
(Unless you only ever handle your own documents.)
A system where the warnings can be turned off permanently can become a
virus server. And if I made the virus, it would turn that setting off as
the first 'bad thing done' when the user clicks to allow the virus for
the first time.
A 'disable security question' feature is dangerous - and so is having a
security question that can be answered wrongly by users without security
knowledge. This covers most users who aren't programmers.
So I wonder, is it better to simply demand AA for such converters? Users
who need them will either need to get a distro with working AA, or put
pressure on their sw developers to create a 'harmless' version of the
converter they need. I would guess that a harmless version is possible
in many cases, but so far nobody saw a need.
(A harmless mode might restrict itself to not open files for writing,
except for files specified on the command line and perhaps a few
well-documented others. Also, disable the running of other executables
except 'safe' ones.)
Now, you're just raising
the rightful point on whether we can really ship with these options ON
by default, the first time, namely whether it's worthwhile to see
users annoyed due to enabling them.
If it only was about annoying - then turning the warning off (or simply
not implementing it) is good. But the risk is real. While the decision
isn't mine to make, I belive we need a solution that doesn't depend on
the user's (lack of) understanding of computer security. At least for
anything distributed as a part of LyX, via lyx.org
A user who wants an unsafe converter can always install his own
unofficial one, if he can't be bothered with AA. Those that wants unsafe
converters to work out of the box, can use known good distros.
Helge Hafting
