[OS X TeX] Testing Hardened Runtime in Basic TeX

Richard Koch koch at uoregon.edu
Sat May 18 22:06:48 CEST 2019


Gosh, we work for years on this stuff, and then it turns out that users are oblivious to it.  (No criticism, just a little astonishment!)

1) BasicTeX does not install GUI apps. It just installs a TeX Distribution. Your current GUI apps work fine with it.

2) BasicTeX is installed in /usr/local/texlive/2019basic. BasicTeX-2019-Hardened is installed in /usr/local/texlive/2019basic-hardened. The full TeX Live 20129 is in /usr/local/texlive/2019.

3) All TeX Distributions from us share ~/Library/texmf

4) Sometimes TeX Distributions need to write information (like font data) when being run by a user in user mode. They do this using special folders in ~/Library/texlive. Each distribution has two folders here for different kinds of data. The full TeX Live 2019's folders in the location are 2019/texmf-var and 2019/texmf-config. For BasicTeX this year, they are 2019basic/texmf-var and 2019basic/texmf-config. The hardened versions us 2019basic-hardened/texmf-var and 2019basic-hardened/texmf-config. All very systematic.

5) Long ago, Gerben Wierda and Jerome Laurens invented a "TeXDist data structure". Every one of our TeX Live based distributions has data there. Also, /Library/TeX/texbin, /Library,TeX/Documentation, /Library/TeX/Root point into this data structure. In particular, TeXLive-2018, TeXLive-2019, BasicTeX-2018, BasicTeX-2019, and BasicTeX-2019-Hardened each have sections of data there.

6) Remember long ago when Jerome Laurens had a Preference Pane which switched the active data? This pane actually switched a symbolic link in the TeX Dist data (NOT /Library/TeX/texbin, but some more hidden link).
Switching this link automatically switched EVERYTHING, so your GUI apps, the command line, and everything suddenly used a different TeX Distribution.

7) More recently, TeX Live Utility is used to switch the default TeX distribution. It does exactly the same thing that the old Preference Pane did. The pane is now obsolete because Apple kept switching the standards which Pref Panes need to use: universal-binary, then 32-bit Intel, then 64-bit intel with Garbage Collection, then 64-bit Intel without Garbage Collection but using Automatic Reference Counting. That's because Pref Panes are plug ins for Apple's Preference Pane application, so any change in that application changed how Pref Panes work. So we switched to TeX Live Utility.

8) So the answer to your full set of questions is that you can switch between TeXLive-2019 and BasicTeX-2019-Hardened exactly like you currently switch between TeXLive-2018 and TeXLive-2019.

Dick Koch
koch at uoregon,edu





> On May 18, 2019, at 12:33 PM, Murray Eisenberg <murrayeisenberg at gmail.com> wrote:
> 
> Although you say that installing BasicTeX-2019-Hardened will not overwrite MacTeX-2019, could you clarify some aspects of that claim?
> 
> (1) Will existing GUI apps in /Applications/TeX, such as TeXShop.app, TeX Live Utility.app, be overrwitten?
> 
> 	What about existing ~/Library/texlive/2019, ~/Library/TeXShop ? (Also see #2, below.)
> 
> (2) Installing BasicTeX-2019-Hardened must change the symbolic links  /Library/TeX/texbin and, I presume, /Library/TeX/Documentation, /Library/TeX/Root, and /Library/TeX/Distributions/Programs/texbin. 
> 
> 	Any others?
> 
> (3) If I need to revert to the regular (full) MacTeX-2019 already installed, is there anything else I need to do besides changing those symbolic links back?
> 
> 
>> On 17 May2019, at 5:38 PM, Richard Koch <koch at uoregon.edu> wrote:
>> 
>> Folks,
>> 
>> I'm hoping to recruit MacTeX users, particularly those running BasicTeX, to test a new distribution which will replace the current one this fall. This task should be easy:
>> 
>> a) Download the following install package, which has size 105 MB
>> 
>> 	https://pages.uoregon.edu/koch/BasicTeX-2019-Hardened.pkg
>> 
>> 2) Install the package. It will not overwrite BasicTeX-2019 or MacTeX-2019, and it should behave just like BasicTeX-2019
>> 
>> 3) Typeset your standard projects. If you run into difficulty, switch to your copy of BasicTeX-2019 and try again. If BasicTeX-2019 works but BasicTeX-2019-Hardened fails, write me and we will try to diagnose the problem.
>> 
>> I already tried pdflatex, xelatex, and lualatex on a 120 page document. All three worked fine.
>> 
>> Feel free to use TeX Live Utility to upgrade BasicTeX-2019 and BasicTeX-2019-Hardened during the test. This is not entirely optimal, since if any actual binaries are updated, then the hardened originals will be replace by ordinary new copies. But we seldom update actual binaries during the year.
>> 
>> Later this summer, I'll call for a similar test of MacTeX-2019-Hardened. Let's wait for that test until after the Apple Developer Conference in the first week of June to see if Apple has further information about hardened runtimes.
>> 
>> --------------------------
>> 
>> Explanation: For many years, all of the MacTeX install packages have been signed. This April, Apple told developers that starting with macOS 10.15 this fall, install packages must be both signed and NOTARIZED.
>> To notarize a package, the developer sends it to Apple. Machines at Apple examine the package for hidden viruses. If none are found, a certificate is mailed back to the developer and "stapled" to the install package. According to Apple, no human hands examine the install package. This is a service to insure that viruses are not accidentally distributed with install packages. 
>> 
>> The package Ghostscript 9.27 released last month was signed and notarized, but BasicTeX and MacTeX were only signed.
>> 
>> The real point of notarization is that all applications and binary command programs installed by the package must adopt a hardened runtime. This is explained next.
>> 
>> --------------------------
>> 
>> When I retired from the University of Oregon in 2002, the freshman dorms had newly installed ethernet jacks. Entering freshmen discovered a CD and a paper with instructions taped over the jack. The instructions warned that students should install the virus checkers on the CD before connecting their computer to ethernet. "Failure to follow these instructions will result in denial of ethernet access in this room", the sheet warned. Then it added "Macintosh users can ignore these instructions."
>> 
>> Those days are long gone.
>> 
>> In 2002, Mac users felt secure because their computer ran Unix, which has excellent protection of the kernel and regular users against irresponsible users who download viruses and divulge their passwords. But today most Macs have a single owner, and security can fail because the user downloaded a poorly coded program.
>> 
>> If an application is compromised by a security attack, the attacker can use the application to do many dangerous things. He or she could access the video camera or the microphone; they could download the owner's Contact list or read their mail. They could download a third party Library and dynamically link to the library, or compile their own JIT code and run that code. Most of these are not things the original applications needed to do or was programmed to do. Apple has provided a list of 13 dangerous operations; if an application running with a hardened runtime attempts to do any of these dangerous things, it is immediately shut down. Think of this as a ''gift'' to developers from Apple. The developer has no intention of opening your microphone and recording everything you say, but even if a hacker takes over, that hacker cannot turn on the microphone.
>> 
>> However, some applications will want to do one or two of these prohibited operations. I've always dreamed of a TeX editor which used the video camera to scan handwritten commutative diagrams, and converted the scan into TeX code.
>> 
>> So the list of 13 dangerous operations is accompanied by a list of 13 exceptions which developers can claim. A developer who wants to use the video camera can file an exception to that restriction, and then that developer is free to use the video camera.
>> 
>> Note that there are the same number of exceptions as restrictions. Theoretically a developer could claim all 13 exceptions and then the hardened runtime would have no effect. Nobody at Apple approves exceptions, or even sees them. In XCode, for instance, a developer claims exceptions by checking boxes. Check 13 boxes and that developer is free to do anything.
>> 
>> The full list of restrictions and exceptions is available from Apple:
>> 
>>    https://developer.apple.com/documentation/security/hardened_runtime_entitlements#
>> 
>> Only two command line programs in BasicTeX required exceptions. One of the prohibited actions is dynamically linking with Third Party code signed by a different developer. Luckily, TeX Live contains its own libraries statially linked. The one exception is X11, which most Linux and Unix systems provide directly. On the Macintosh, X11 is provided by a third party open source group. The programs mf and xdvi-xaw link with this X11 code and required exceptions.
>> 
>> --------------------------
>> 
>> Several years ago, Apple introduced "sandboxing" and required that all apps available through the Apple Store be sandboxed. A sandboxed application cannot perform various dangerous tasks. One of the prohibited operations is calling another program, a restriction which is almost fatal for TeX. Some of my friends fear that Apple is moving in the direction of requiring that all apps be sandboxed, and that only programs available in the App Store will be allowed to run on the machine. I do not share this pessimistic point of view, partially because many Apple engineers came from the open source movement, and partially because Apple officials have often declared that they have no intention of merging the Mac with the iPad and iPhone. But whether I am right or wrong, hardened runtimes are not something we need worry about. They are Apple's way of aiding developers to establish security, while not restricting what their programs can do.
>> 
>> 
>> Richard Koch
>> koch at uoregon.edu
>> ----------- Please Consult the Following Before Posting -----------
>> TeX FAQ: http://www.tex.ac.uk/faq
>> List Reminders and Etiquette: https://sites.esm.psu.edu/~gray/tex/
>> List Archives: http://dir.gmane.org/gmane.comp.tex.macosx
>>               https://email.esm.psu.edu/pipermail/macosx-tex/
>> TeX on Mac OS X Website: http://mactex-wiki.tug.org/
>> List Info: https://email.esm.psu.edu/mailman/listinfo/macosx-tex
> 
> ---
> Murray Eisenberg			murrayeisenberg at gmail.com
> 503 King Farm Blvd #101	Home (240)-246-7240
> Rockville, MD 20850-6667	Mobile (413)-427-5334
> 
> 
> ----------- Please Consult the Following Before Posting -----------
> TeX FAQ: http://www.tex.ac.uk/faq
> List Reminders and Etiquette: https://sites.esm.psu.edu/~gray/tex/
> List Archives: http://dir.gmane.org/gmane.comp.tex.macosx
>                https://email.esm.psu.edu/pipermail/macosx-tex/
> TeX on Mac OS X Website: http://mactex-wiki.tug.org/
> List Info: https://email.esm.psu.edu/mailman/listinfo/macosx-tex

----------- Please Consult the Following Before Posting -----------
TeX FAQ: http://www.tex.ac.uk/faq
List Reminders and Etiquette: https://sites.esm.psu.edu/~gray/tex/
List Archives: http://dir.gmane.org/gmane.comp.tex.macosx
                https://email.esm.psu.edu/pipermail/macosx-tex/
TeX on Mac OS X Website: http://mactex-wiki.tug.org/
List Info: https://email.esm.psu.edu/mailman/listinfo/macosx-tex


More information about the macostex-archives mailing list