search

google-code-export / latex-lab

Automatically exported from code.google.com/p/latex-lab
1 stars 0 forks source link

LaTeX Security #34

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
I'm working on a smiliar project but without Google stuff. I found no email
address or any other contact option to get in contact. 
So I ask here:
Are there any security issues with LaTeX code? Did you made some special
filtering for commands that might be dangerous when executed on the server?

Original issue reported on code.google.com by hier.mai...@gmail.com on 13 Apr 2010 at 8:04

GoogleCodeExporter commented 9 years ago 
When it comes to LaTeX security i would avoid thinking in terms of dangerous 
versus
safe commands, because there will be vulnerabilities in even routine commands 
that
the user may require.

The best approach is to assume that the environment may be compromised and 
attempt to
minimize and eliminate impact.

This means that, for example, the LaTeX server should be logically and 
physically
separate from the rest of the application, with access to only the minimum user
resources necessary.

In LaTeX Lab the LaTeX servers are separate and unware of the rest of the app.
Documents reside in Google Docs and documents requests need to be signed, which
ensures that the LaTeX environment, if compromised, can't gain access to any 
user
information or documents that the user has not made available for compiling.

The LaTeX server should sit isolated, from a network perspective, with minimum 
ports
exposed, and if possible exist in the form of a disposable VM. In LaTeX Lab the 
LaTeX
environment exists as a VM in the Amazon cloud.

Inside the actual LaTeX environment there should be a combination of the 
following:
1. ensure that LaTeX runs inside a minimal Linux jail
2. apply user permissions to regulate write and execute access
3. enforce execution timeouts for LaTeX processes
4. clear caches regularly
5. monitor running processes and connections

Additionaly, allow and promote the usage of a local LaTeX compiler when one is 
available.

Original comment by bobbysoa...@gmail.com on 13 Apr 2010 at 2:06

GoogleCodeExporter commented 9 years ago 
A couple more:
6. ensure OS updates and patches are up to date.
7. rotate and recycle the LaTeX environment if using VMs.

Original comment by bobbysoa...@gmail.com on 13 Apr 2010 at 2:17

GoogleCodeExporter commented 9 years ago

Original comment by bobbysoa...@gmail.com on 20 Apr 2010 at 1:26

GoogleCodeExporter commented 9 years ago 
Thx bobby this all sounds reasonable I'll see if my servers can handle a few 
pdflatex
commands at the same time from various users. I also tried pdf2swf which works 
ok -
you can use some nice Flash Viewers than which are not so buggy like Acrobat 
Reader.

Original comment by hier.mai...@gmail.com on 20 Apr 2010 at 4:52

GoogleCodeExporter commented 9 years ago 
Thanks for the tip on pdf2swf, it looks interesting.

Original comment by bobbysoa...@gmail.com on 20 Apr 2010 at 5:27