[tex-live] Recommended way to call tlmgr when TeX Live installed with root permissions

Mon Sep 1 04:25:06 CEST 2014

On Sun, Aug 31, 2014 at 5:43 AM, Reinhard Kotucha
<reinhard.kotucha at web.de> wrote:
> On 2014-08-31 at 00:15:16 -0400, Scott Kostyshak wrote:
>
>  > On Fri, Aug 29, 2014 at 11:59 PM, Norbert Preining <preining at logic.at> wrote:
>  > > Hi,
>  > >
>  > > On Fri, 29 Aug 2014, Scott Kostyshak wrote:
>  > >> Suppose that TeX Live is installed to /opt/texbin and requires root
>  > >> permissions to call tlmgr to update the installation. What are the
>  > >> recommended ways to call tlmgr? I see two approaches:
>  > >>
>  > >> 1. call it directly: sudo /opt/texbin/tlmgr (or create an alias)
>  > >> 2. add /opt/texbin to root's PATH.
>  > >>
>  > >> (2) seems to be the most convenient option but I imagine it's
>  > >> not a good idea from a security perspective. If this is true,
>  > >> could someone outline a case where this would lead to a security
>  > >> vulnerability?
>  > >
>  > > Both are fine. Why should adding /opt/texbin increase the
>  > > security vulnerability?
>  > >
>  > > If someone is already root, he can call /opt/texbin/whatever
>  > > without having it in the path.
>  >
>  > I was thinking more that if an intruder somehow has access to
>  > /opt/texbin (without having full root permissions), they could do
>  > something like put an executable file "ls" in there and thus trick
>  > root into running arbitrary commands (or if PATH precedence would
>  > obviate that, then "l" or some common misspelled command). I
>  > suppose if they had access to /opt/texbin though, they could modify
>  > tlmgr which would cause the same security problem for any
>  > solution. Sounds like I'm thinking harder than I need to about
>  > this.
>
> If everything in /opt/texbin is writable by root only then an intruder
> needs full root permissions in order to add or modify files.
>
> There is no reason to install TeX Live as root at all.  You could do
>
>   chown -R skostysh:users /opt/texbin
>
> and you don't have to be root in order to run tlmgr.  It's more secure
> not to run programs as root.  Alternatively you can create a dedicated
> account "texadmin".  The advantage is that it has its own HOME
> directory and all the trojan horses you already have in your own HOME
> directory are not accessible.
>
> Please keep in mind: if an intruder is able to modify files on your
> system, you are already lost.  Sure, it's worse if he can modify files
> owned by root because root can do things what normal users can't do.

I will think carefully about this. I agree that installing as root
does not seem to provide a benefit and if anything causes trouble.

Thanks for the explanations and advice!

Scott