debian bug 5898 - security option

[Eric Blake]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=5898

Yes, you read that right - an open bug with only a 4-digit ID.  9 years
and 236 days old.

> There should be an option to disable `dangerous' operations like
> writing files and executing programs, and another to disable reading
> files too.
>
> Dangerous builtins include (according to the Info page):
>    debugfile syscmd esyscmd sysval maketemp
>
>   File reading builtins include:
>    include sinclude

The idea might be nice for m4 2.0, but is not worth adding to the 1.4.x
branch.  My take on what a --secure option would disable:

debugfile (it can overwrite arbitrary existing files)
syscmd (it invokes arbitrary shell commands)
esyscmd (likewise)
maketemp (invoked enough times, it can form a denial-of-service by
creating lots of files)
builtin (at least, builtin on any of the restricted commands)

However, I see no reason to disable sysval (although it always results in
0 if you don't have [e]syscmd).  And I don't see how reading files can be
a security issue, since the person executing m4 can read those files from
the command line in the first place, so include, sinclude, and undivert
should remain active.

- --
Life is short - so eat dessert first!

Eric Blake             address@hidden
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (Cygwin)
Comment: Public key at home.comcast.net/~ericblake/eblake.gpg
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEzsTL84KuGfSFAYARAphRAJ4vPiWem6LKdqKRYUi7OyuXMahLAwCeIA/Z
TgzRqi3Kgx70As5MvgHa9t8=
=z4Ic
-----END PGP SIGNATURE-----