alo@kampi.hut.fi (Antti Louko) (03/15/91)
Some time ago I had to implement a page count restriction feature for our spooled LaserWriters. First I considered changing some of the device-dependent routines, (redwrite etc. I don't remember anymore) but fortunately I decided to take another approach. I decided replace showpage and copypage operator by my own routines which first check page limit and then to actual showpage or copypage or stop if the page count is exceeded. A portion of this mess looks something like this: /hiddendict 100 dict begin /checkpagelimit { ... } bind executeonly def /systemdict dup load def /showpage-orig /showpage load currentdict end def /showpage { //hiddendict begin checkpagelimit old-systemdict /showpage get exec end } bind executeonly def /hiddendict 0 def But this didn't solve the whole problem. The original systemdict was still accessible and a malicious user can redefine showpage to the original one and defeat pagelimit. Well, I made a copy of systemdict and put it in userdict. Now users cannot access systemdict. Wrong, he can still access it using "dictstack" or "where" operators. I had to replace those, too. I am not still sure that user cannot get the original systemdict with some trick. Moral of the story: systemdict should be writeable! Antti Louko (alo@hut.fi) Helsinki University of Technology Computing Centre Otakaari 1 SF-02150, Espoo FINLAND tel. work +358 0 4514314 telefax +358 0 464788 P.S. Should I redefine eexec, too. If it is redefined, user cannot include Type 1 fonts in his jobs. If it is not redefined, user can get showpage by eexec-encrypting /showpage load currentfile closefile and feeding it to eexec. An alternative for writebale systemdict would be to add setsystemdict operator which would effectively replace systemdict everywhere in the PostScript interpreter. It would suffice if it would be in the internaldict. I would really appreciate comments from Adobe, too.
glenn@heaven.woodside.ca.us (Glenn Reid) (03/28/91)
In article <1991Mar15.075038.18944@santra.uucp> alo@kampi.hut.fi (Antti Louko) writes: [ some details omitted ] > But this didn't solve the whole problem. The original systemdict was > still accessible and a malicious user can redefine showpage to the > original one and defeat pagelimit. Well, I made a copy of systemdict > and put it in userdict. Now users cannot access systemdict. Wrong, he > can still access it using "dictstack" or "where" operators. I had to > replace those, too. I am not still sure that user cannot get the > original systemdict with some trick. > > Moral of the story: > > systemdict should be writeable! The reason you want to be able to write into systemdict is to make security (and/or accounting) tighter, so it can't be circumvented. This is a very interesting problem, as you point out. Without offering anything useful, let me challenge you with the thought that, if systemdict were indeed writable, it could be written by the same people whom you would like to prevent from getting at it. At the very least, systemdict should not be writable unless the exitserver password is supplied, giving some level of security. I haven't looked around much, but there's also the possibility that a pointer to systemdict is stored in one of the built-in procedures (like findfont), and a copy of systemdict could potentially be retreived from such a place (another thing for you to consider, in addition to redefining eexec). Be careful with eexec or downloaded fonts won't work! As a side note, Sun's NeWS interpreter has a writable systemdict. Security is much more important on a window server than on a printer, so perhaps some NeWS users could supply some war stories as to the advisability of this approach. Let us know what you find out. -- Glenn Reid RightBrain Software glenn@heaven.woodside.ca.us NeXT/PostScript developers ..{adobe,next}!heaven!glenn 415-851-1785 (fax 851-1470)