You have to be careful with the --safer
option. lualatex --safer file.tex
correctly disables many things. But lualatex file.tex --safer
doesn't disable your example or os.remove()
or give warnings about an incorrectly located option (at least with TeX Live 2012 under Windows).
According to the LuaTeX manual, --safer
disables the following:
- os
- execute, exec, setenv, rename, remove, tmpdir
- io
- lfs
- rmdir, mkdir, chdir, lock, touch
Furthermore, it disables loading of compiled LUA libraries (support for these was added in 0.46.0), and it
makes io.open()
fail on files that are opened for anything besides reading.
After a quick look through the documentation on these three libraries, I don't see much else obvious that could cause mischief. lfs.link()
might be used to create a symlink and possibly cause issues under some circumstances.
You might also want the --no-socket
option.
--nosocket
makes the socket library unavailable, so that LUA cannot use networking.
Your first question is somehow difficult to answer, but to do so, you should answer the question "How confidential your data is?".
When you use a service like sharelatex, in some point they are going to host your data. Even though they say your data is being hosted on secure third parties, still someone else have your data. Now, am I telling you they are going to read your confidential data? No.
The point is, when a third party is hosting any type of data, theoretically they can read or use it. If you use google to email them or dropbox to share them, they are still on those companies' servers. You do not hear or read news about hosts stealing scientific ideas (or perhaps they do!), but you do hear news about your data not being exposed. In particular, sharelatex has one problem that their privacy on this matter is not that clear:
ShareLaTeX uses third parties to host our services and store your
data. You retain all rights to the data you upload to ShareLaTeX.
Which brings us to my first question again. How confidential your data is?
If you have solved P vs. NP or any a Millennium Prize Problems, you better not to go with sharelatex (or dropbox or many other services for that matter).
Before going to your second point, I would like to emphasis that I have not used their service and what I wrote does not question their honesty, integrity and quality of their services. I just suggest not use it when your data if of extreme confidentiality.
So what to do? There are so many solutions. First, if you really like share latex, they are now open source and they do encourage you to fork their code. You can make your own sharelatex and host your own data (their git repo).
Another solution is subversion or git. I have used both git and svn for single and multiple author works and both are fine. You can use them on your own servers or use online hosts. As you guessed correctly, the latter has the same problem as sharelatex, however, a host such as github is already hosting many closed source projects and you know you are not alone in this boat. But again, if you need ultimate security, you should host your own data. To read on trustworthiness of online repositories read 1,2,3.
By the way, as mico suggested in the comments perhaps you should find the source of the problem. If you decide to go with one of the online repositories yet use you own machines to compile the latex source, you eventually need to look at latex with platform independent
glasses. If you and your collaborators use same versions of latex and avoid using obsolete packages, you should not have any problem. To put into perspective, recently we finished a paper that was written on Linux, Mac and windows.
I have two final notes regarding online latex service like sharelatex. Firstly, by using their services you have to give up some of your freedom. What if you want a non-standard latex package that is not supported by your online engine? You are only the lord of your own garden! Second, despite of all I said about security, in many cases, Source code is worthless.
Best Answer
I think my answer will be totally biased, but here it goes.
:)
It's quite subjective for me to afirm that
arara
is safe or secure. It's just a program with a specific purpose, just like most of the tools available out there. Maybe the best answer I can come up with is: it depends.arara
per se simply expands directives into commands through rules that specify the way this expansion shoud happen. Commands are then delegated to the underlying operating system.The program requires a valid directive (mapped to a rule) in order to run, otherwise the process stops.
If there are no directives,
arara
will also complain.If we run
arara
with the--log
option enabled, we can have a list of directives found in the.tex
file.Heiko suggested a
--dry-run
option toarara
, which consists of simulating the execution without actually running the commands. Hopefully it will be available in the upcoming version.After getting the directives,
arara
will look for rules.arara
shows the full path for the rule according to the directive. Then the commands will be executed.Back to the question. Is it possible to run malicious code through
arara
? Yes. Is this a problem? No.:)
After all, we can get, say, a Perl program and deliberately inject code into its execution. Or write a.tex
file with malicious Lua code inside it. Or have a naughty Makefile that runsrm -rf /
in our system.I think the security issues are valid. Let's see an example, the
clean
rule.Using this directive
will make
arara
remove two files,foo.aux
andfoo.log
. There's an important check which preventsarara
from removing the main.tex
file if nofiles
directive argument is provided. Say,does nothing.
Let's say we will replace the
default
instruction byIf we try
the main
.tex
file (possiblyfoo.tex
) will be gone! Neat isn't it?:)
Of course, we are talking about a faulty rule.
arara
has the following workflow:That's the basic idea behind the program.
It might be worth mentioning that the program makes use of a library to execute these external commands which doesn't allow subshell calls.
Anyway, I really don't know what else to say.
:)
We are all vulnerable to malicious packages, but that's a risk we need to take. Thankfully, source code has to be available in order to hit CTAN (not entirely true, but true for packages), so we can always check entries for suspicious elements.As I said, LuaTeX for example allows I/O from Lua, which can also be dangerous. We are exposed to some level of threat at some time, it depends our use.
:)
And running
arara
(or any program) in a server without a sandbox... ouch.:)