From 51403f69f4ccfa7576365383ea583c3a25e3d6a5 Mon Sep 17 00:00:00 2001 From: Caleb Maclennan Date: Thu, 2 Feb 2023 14:19:07 +0300 Subject: [PATCH] fix(docker): Avoid tripping on new Ghostscript safety restrictions --- Dockerfile | 8 ++++++++ rules/rules.mk | 4 ++++ 2 files changed, 12 insertions(+) diff --git a/Dockerfile b/Dockerfile index 4e8ee413..72f7bb55 100644 --- a/Dockerfile +++ b/Dockerfile @@ -73,6 +73,14 @@ ENV LANG=en_US.UTF-8 # root permissions anyway so we're not really adding insecure surface area here. RUN git config --system --add safe.directory '*' +# ImageMagick has started aggressively adding -dSAFER (also the default since +# Ghostscript 9.5) to callouts to `gs`. This works if the processes inside +# Docker are running as root, but we're often using setpriv to match file +# ownerships. Postscript files can read and write arbitrary files in this +# configuration so this would be unsafe to use on unknown content, but in our +# case the only content on the entire system (in the container) is our project. +RUN sed -i -e 's/dSAFER/dNOSAFER/g' /etc/ImageMagick-7/delegates.xml + LABEL org.opencontainers.image.title="CaSILE" LABEL org.opencontainers.image.description="A containerized version of the CaSILE toolkit, a book publishing workflow employing SILE and other wizardry" LABEL org.opencontainers.image.authors="Caleb Maclennan " diff --git a/rules/rules.mk b/rules/rules.mk index 73f4a8db..b632cac2 100644 --- a/rules/rules.mk +++ b/rules/rules.mk @@ -152,6 +152,10 @@ FCCONFIG := $(BUILDDIR)/fontconfig.conf # BUILDDIR would otherwise get created by other rules anyway, but we're dodging race conditions export FONTCONFIG_FILE := $(shell test -d "$(BUILDDIR)" || $(MKDIR_P) "$(BUILDDIR)" && cd "$(BUILDDIR)" && pwd)/fontconfig.conf +# ImageMagick security policy steps on Ghostscript's toes when running under +# setpriv (which we do in Docker), so just keep it all local. +export MAGICK_TEMPORARY_PATH := $(shell test -d "$(BUILDDIR)" || $(MKDIR_P) "$(BUILDDIR)" && cd "$(BUILDDIR)" && pwd) + # Extensible list of files for git to ignore IGNORES += $(PROJECTCONFIGS) IGNORES += $(BUILDDIR)