On 12/12/2016 12:04, Helge Hafting wrote:
In the general case, make a script (or utility program) that runs the
dangerous converter in a chroot, where nothing dangerous can be done.
No need for questions then. LyX already puts the document files in a
temp directory so the cleanup after a latex run will be easier.
chrooting before running a converter means the converter can't
overwrite files outside the chroot, which helps quite a bit
security-wise.
unfortunately, chroot-ing also makes the system inaccessible/invisible,
that's why I'm looking into AppArmor instead, which is essentially a
"chroot on steroids". However, AA is more difficult to get right, and
it will work "out of the box" only on a limited set of distros.
On the other hand, the immediate, always working across any OS and
portable security mitigation (to possible threats/viruses starting
to spread as lyx docs), is the one to show up a dialog and ask the
user -- I know, it's reminding all of us of smth, but also please
remember that it won't show up always, rather only if you're using
a fewselected converters.
As for batch conversions, we could have an option (even a LyX-wide option)
saying --assume-yes or--assume-no or similar, that would actually prevent
any question to be asked.
I hope future LyX won't be asking security questions most people
can't answer with any confidence. I might be able to answer such
questions; but only if I review the sw in question, which I certainly
won't have time for.
thanks for your honest opinion, Helge. Please, remember you can disable
these security settings from the already added preferences options, if
you feel these are just productivity stoppers.
Now, you're just raising
the rightful point on whether we can really ship with these options ON
by default, the first time, namely whether it's worthwhile to see
users annoyed due to enabling them.
Thanks,
T.
