Dear Volker, > The generation of ls-R files was recently changed to be run as nobody, > instead of the user invoking mktexlsr (see diff at end). This creates a
I was contacted by SuSE about a security problem and the fix that you describe was suggested. I have forwarded that to Olaf Weber, but we have not yet decided about this issue. By the time, SuSE has distributed this patch. > Obviously I can edit the script, but is there a recommended way to deal > with this? You could easily avoid problems by changing the read permissions of the font files (make them readable for some group), but leave the directories world-executable and world-readable. That way, nobody will be able to list the fonts into the ls-R file, but unothorized people won't be able to use the fonts. The patch suggested by SuSE is not portable enough to be adopted by web2c, I think. Maybe, we should make the use of the "L" option in mktexlsr an option and the default of this option "off". > [1] dvips in this case says it includes the pfb files, but in fact > doesn't, and doesn't show a warning either. This is probably the same Yes, that's the problem discussed on the TeX-k list and Tomas R. wrote that he'll work on a fix for it. Thomas