[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Texmacs-dev] Re: a voir
|
From: |
roberto |
|
Subject: |
Re: [Texmacs-dev] Re: a voir |
|
Date: |
Sat, 1 Jun 2002 10:25:47 +0200 |
Dear Ralph,
thank you for reminding us of the security issues: I think any
development of features similar to those found in Active-DVI will
encounter the same difficulties.
The current status of the situation in Active-DVI is:
- there are three levels of security, corresponding to
command line options
exec: launch any application
ask: ask before launching an application
safer: launch no application
- the user has the right to define her/his policy in the .advirc file
- the system administrator has the right to set a global policy
in /etc/advirc
- the defult is (if I rember well) ask
- launching advi with the -n option will give a list of all
esternal applications referenced in the .dvi file
I do not know if the debian packaged version is actually recent enough to
incorporate this, but thelatest official release of Active-DVI incorporates
all this...
--Roberto
>>>>> "Ralf" == Ralf Treinen <address@hidden> writes:
Ralf> Désolé pour répondre en anglais mais ça va plus vite ... There is, or
Ralf> at least there used to be (I didn't follow the latest developments), a
Ralf> big problem with advi: Advi can execute any arbitrary code (by passing
Ralf> it to a shell) which is embedded in the code. An advi document can for
Ralf> instance start an xclock application, an mpeg player, a texmacs
Ralf> session, or anything else. At the time when advi was to be included
Ralf> into debian it was the default behaviour of advi to allow execution of
Ralf> any embedded code. The user had to supply a special option to switch
Ralf> this behaviour off.
Ralf> I guess I don't have to tell you why this is a security problem. For
Ralf> debian, the default behaviour was inversed, such that the user has to
Ralf> explicitely switch on the execution of embedded code.
Ralf> It is unclear to me how this feature can be used in a secure
Ralf> way. Please keep this problem in mind when adding animation features
Ralf> to texmacs.
Ralf> -Ralf.
--
--Roberto Di Cosmo
------------------------------------------------------------------
Professeur (on leave at/detache a INRIA Roquencourt)
PPS E-mail: address@hidden
Universite Paris VII WWW : http://www.dicosmo.org
Case 7014 Tel : ++33-(1)-39 63 52 77
2, place Jussieu Fax : ++33-(1)-44 27 68 49
F-75251 Paris Cedex 05
FRANCE. MIME/NextMail accepted
------------------------------------------------------------------
Office location:
Paris VII INRIA Roquencourt
Bureau 6C14 (6th floor) Bureau 820, Batiment 8
175, rue du Chevaleret, XIII
Metro Chevaleret, ligne 6 Roquencourt
------------------------------------------------------------------
- Re: [Texmacs-dev] Re: a voir,
roberto <=