On 2002-07-17 00:44:21 -0400, Simon Law wrote: > I can imagine latex.ltx containing a couple extra > \openin15=.ssh/identity , \openin15=.gnupg/secring.gpg and > \openout15=.shrc commands[2] as put there by someone who has cracked an
This is not possible on a default TeX installation. <quote src="http://www.tug.org/web2c/manual/web2c_4.html";> TeX can write output files, via the \openout primitive; this opens a security hole vulnerable to Trojan horse attack: an unwitting user could run a TeX program that overwrites, say, `~/.rhosts'. (MetaPost has a write primitive with similar implication). To alleviate this, there is a configuration variable `openout_any'; by default, this is set to `0', which disallows writing to any filename beginning with `.' except `.tex' (for the sake of the LaTeX distribution). If set to `1', any file can be written. In any case, all \openout filenames are recorded in the log file, except those opened on the first line of input, which is processed when the log file has not yet been opened. (If you as a TeX administrator wish to implement more stringent rules on \openout, modifying the function openoutnameok in `web2c/lib/texmfmp.c' is intended to suffice.) ... `-shell-escape' Enable the `\write18{shell-command}' feature. This is also enabled if the environment variable or config file value `shell_escape' is set to anything non-null that does not start with `n' or `0'. It is disabled by default to avoid security problems. When enabled, the shell-command string (which first undergoes the usual TeX expansions, just as in `\special') is passed to the command shell (via the C library function `system'). The output of shell-command is not diverted anywhere, so it will not appear in the log file. The system call either happens at `\output' time or right away, according to the absence or presence of the `\immediate' prefix, as usual for \write. (If you as a TeX administrator wish to implement more stringent rules on what can be executed, you will need to modify `tex.ch'.) </quote> Best regards Martin -- Martin Schröder, [EMAIL PROTECTED] ArtCom GmbH, Grazer Straße 8, D-28359 Bremen Voice +49 421 20419-44 / Fax +49 421 20419-10 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
