As a new user I would like to get suggestions from experts or other experienced users in this forum.
In Ubuntu (Linux) 10.04 LTS, I have downloaded and installed texlive (2011) from http://www.tug.org/texlive/acquire-netinstall.html. They have issued the following warnings:
1. "To the best of our knowledge, the core TEX programs themselves are (and always have been) extremely robust. However, the contributed programs in TEX Live may not reach the same level, despite everyone’s best efforts. As always, you should be careful when running programs on untrusted input; for maximum safety, use a new subdirectory."
What does this exactly mean? The installed program has already created own directories and subdirectories (e.g. /usr/local/texlive/2011/bin/i386-linux). Am I supposed to create a new subdirectory in home to write files and run latex program? Exactly how do I know that the downloaded and installed program is not malicious?
2. "Finally, TEX (and its companion programs) are able to write files when processing documents, a feature that can also be abused in a wide variety of ways. Again, processing unknown documents in a new subdirectory is the safest bet."
Can anybody please explain what is implied by "a feature that can also be abused in a wide variety of ways". How do I know in case something bad had really happened?
TeX Live and MacTeX ⇒ Possible Security Hole in TeX Live Distribution
-
arroy_0209
- Posts: 1
- Joined: Tue Aug 16, 2011 10:42 am
NEW: TikZ book now 40% off at Amazon.com for a short time.
-
josephwright
- Site Moderator
- Posts: 814
- Joined: Tue Jul 01, 2008 2:19 pm
Re: Possible Security Hole in TeX Live Distribution
The point here is not the installation directory, but the directory your .tex file is in. Various parts of the process of creating a document need to write to files. For example, LaTeX creates a .aux file for each .tex file you use. It's also possible to create other file extensions, and also to execute system commands if 'write18' is enabled.
With the standard settings, running LaTeX on a file in <home>/my/folder can only write to <home>/my/folder or any subdirectories, and not to <home>/my or further 'up' the tree. So creating <home>/my/folder for each new .tex file is a good idea. (To see what might happen, imagine that I decide to set up some malicious code to write a file called 'cmd.exe' on Windows, or overwrite something in /etc/ on Linux.)
With the standard settings, running LaTeX on a file in <home>/my/folder can only write to <home>/my/folder or any subdirectories, and not to <home>/my or further 'up' the tree. So creating <home>/my/folder for each new .tex file is a good idea. (To see what might happen, imagine that I decide to set up some malicious code to write a file called 'cmd.exe' on Windows, or overwrite something in /etc/ on Linux.)
Joseph Wright