[tex-live] Recommended way to call tlmgr when TeX Live installed with root permissions

Scott Kostyshak skostysh at lyx.org
Mon Sep 1 04:21:48 CEST 2014


On Sun, Aug 31, 2014 at 4:08 AM, Zdenek Wagner <zdenek.wagner at gmail.com> wrote:
> 2014-08-31 6:15 GMT+02:00 Scott Kostyshak <skostysh at lyx.org>:
>> On Fri, Aug 29, 2014 at 11:59 PM, Norbert Preining <preining at logic.at> wrote:
>>> Hi,
>>>
>> ...
>>
>> I was thinking more that if an intruder somehow has access to
>> /opt/texbin (without having full root permissions), they could do
>> something like put an executable file "ls" in there and thus trick
>> root into running arbitrary commands (or if PATH precedence would
>> obviate that, then "l" or some common misspelled command). I suppose
>> if they had access to /opt/texbin though, they could modify tlmgr
>> which would cause the same security problem for any solution. Sounds
>> like I'm thinking harder than I need to about this.
>>
> Do you have different permission for subdirectories? If not, the user
> who can insert an executable into /opt/textbin, can also run
> successfully tlmgr.

Indeed. Thanks for pointing this out.

Scott


More information about the tex-live mailing list