:: Re: [DNG] Security Policies
Página Inicial
Delete this message
Reply to this message
Autor: Didier Kryn
Data:  
Para: dng
Assunto: Re: [DNG] Security Policies
Le 23/03/2023 à 23:00, Ken Dibble a écrit :
> Sorry for the overly general subject.
>
> I really couldn't quickly establish a subject that would encompass my
> thoughts.
>
>
> The Event:
>
> I don't usually do graphics stuff (no talent), but occassionally I am
> called upon by family
>
> to help them.  In this instance it was a child's drawing and writing
> samples being sent to a
>
> specialized physician.  For some reason they would not accept anything
> other than pdf
>
> and the source material was most certainly not a pdf.
>
> The first thought was the 'convert' tool from imagemagick.  It would
> not allow me to change
>
> the jpegs to pdf.   The reason given was imagemagick security policy.
>
>
> For Reference here is the url:
> https://imagemagick.org/script/security-policy.php
>
>
> I do not know who makes decisions.  I do know that having a bunch of
> people
>
> running around making conflicting decisions is a bad idea.
>
> Linux already has the often hated AppArmor.  But there is no entry for
> ImageMagick
>
> in /etc/apparmor.d/.  So this was not a case of 'whomever' trying to
> supplement
>
> or improve something.  It was either a case of not knowing of
> alternatives, being
>
> to lazy or ignorant to try to find them, or just saying 'my way'.
>
>
> If the way forward is for everyone to create their own policies,
> formats, file locations, etc., then my opinion is that we may as well
> all pack up our stuff and go to RedHat, Ubuntu, or Microsoft.
>
>
> I have no idea how widespread this 'do things my way and ignore
> everybody else' attitude and
>
> implementation is.  My only hope is that someone of some influence
> grinds it to a halt before
>
> it spreads.



    Imagemagick developpers habve become mental. Their software is
delivered non-working by explicit design. I would imagine Debian would
have changed that, but no.

    To make it usable, you should modify /etc/ImageMagick-6/policy.xml
(if acl allows you to do so) in the following way: replace every
occurence of 'rights="none"' with 'rights="all"' . Needless to do it
inside xml comment-lines <?-- ...-->.

    I acl forbids you to do it, there's probably some tool you have to
learn to use to change the acl, but the simplest way is to remount /
whith -o noacl.

--     Didier