alo@kampi.hut.fi (Antti Louko) (03/15/91)
Some time ago I had to implement a page count restriction feature for
our spooled LaserWriters. First I considered changing some of the
device-dependent routines, (redwrite etc. I don't remember anymore)
but fortunately I decided to take another approach.
I decided replace showpage and copypage operator by my own routines
which first check page limit and then to actual showpage or copypage
or stop if the page count is exceeded.
A portion of this mess looks something like this:
/hiddendict 100 dict begin
/checkpagelimit {
...
} bind executeonly def
/systemdict dup load def
/showpage-orig /showpage load
currentdict
end def
/showpage {
//hiddendict begin
checkpagelimit
old-systemdict /showpage get exec
end
} bind executeonly def
/hiddendict 0 def
But this didn't solve the whole problem. The original systemdict was
still accessible and a malicious user can redefine showpage to the
original one and defeat pagelimit. Well, I made a copy of systemdict
and put it in userdict. Now users cannot access systemdict. Wrong, he
can still access it using "dictstack" or "where" operators. I had to
replace those, too. I am not still sure that user cannot get the
original systemdict with some trick.
Moral of the story:
systemdict should be writeable!
Antti Louko (alo@hut.fi)
Helsinki University of Technology
Computing Centre
Otakaari 1
SF-02150, Espoo
FINLAND
tel. work +358 0 4514314
telefax +358 0 464788
P.S.
Should I redefine eexec, too. If it is redefined, user cannot include
Type 1 fonts in his jobs. If it is not redefined, user can get
showpage by eexec-encrypting
/showpage load
currentfile closefile
and feeding it to eexec.
An alternative for writebale systemdict would be to add
setsystemdict operator which would effectively replace systemdict
everywhere in the PostScript interpreter. It would suffice if it would
be in the internaldict.
I would really appreciate comments from Adobe, too.glenn@heaven.woodside.ca.us (Glenn Reid) (03/28/91)
In article <1991Mar15.075038.18944@santra.uucp> alo@kampi.hut.fi (Antti Louko) writes: [ some details omitted ] > But this didn't solve the whole problem. The original systemdict was > still accessible and a malicious user can redefine showpage to the > original one and defeat pagelimit. Well, I made a copy of systemdict > and put it in userdict. Now users cannot access systemdict. Wrong, he > can still access it using "dictstack" or "where" operators. I had to > replace those, too. I am not still sure that user cannot get the > original systemdict with some trick. > > Moral of the story: > > systemdict should be writeable! The reason you want to be able to write into systemdict is to make security (and/or accounting) tighter, so it can't be circumvented. This is a very interesting problem, as you point out. Without offering anything useful, let me challenge you with the thought that, if systemdict were indeed writable, it could be written by the same people whom you would like to prevent from getting at it. At the very least, systemdict should not be writable unless the exitserver password is supplied, giving some level of security. I haven't looked around much, but there's also the possibility that a pointer to systemdict is stored in one of the built-in procedures (like findfont), and a copy of systemdict could potentially be retreived from such a place (another thing for you to consider, in addition to redefining eexec). Be careful with eexec or downloaded fonts won't work! As a side note, Sun's NeWS interpreter has a writable systemdict. Security is much more important on a window server than on a printer, so perhaps some NeWS users could supply some war stories as to the advisability of this approach. Let us know what you find out. -- Glenn Reid RightBrain Software glenn@heaven.woodside.ca.us NeXT/PostScript developers ..{adobe,next}!heaven!glenn 415-851-1785 (fax 851-1470)