1 files changed, 35 insertions, 2 deletions
diff --git a/gs/man/gs.1 b/gs/man/gs.1
index 423abbcc3..9cb92c473 100644
--- a/gs/man/gs.1
+++ b/gs/man/gs.1
@@ -277,8 +277,7 @@ X Windows). This may be needed if the platform fonts look undesirably
 different from the scalable fonts.
 .TP
 .B \-dSAFER
-Disables the "deletefile" and "renamefile" operators and the ability to
+Restricts file operations the script can perform.  Strongly recommended for
-open files in any mode other than read-only.  This strongly recommended for
 spoolers, conversion scripts or other sensitive environments where a badly 
 written or malicious PostScript program code must be prevented from changing
 important files.
@@ -294,6 +293,40 @@ Selects an alternate initial output device, as described above.
 .BI \-sOutputFile= filename
 Selects an alternate output file (or pipe) for the initial output
 device, as described above.
+.SH "SAFER MODE"
+.PP
+The
+.B \-dSAFER
+option disables the "deletefile" and "renamefile" operators and prohibits
+opening piped commands ("%pipe%\fIcmd\fR"). Only "%stdout" and "%stderr" can be
+opened for writing. It also disables reading from files, except for "%stdin",
+files given as a command line argument, and files contained in paths given by
+LIBPATH and FONTPATH or specified by the system params /FontResourceDir and
+/GenericResourceDir.
+.PP
+This mode also sets the .LockSafetyParams parameter of the initial output device
+to protect against programs that attempt to write to files using the OutputFile
+device parameter. Since the device parameters specified on the command line,
+including OutputFile, are set prior to SAFER mode, use of "-sOutputFile=..." on
+the command line is unrestricted.
+.PP
+SAFER mode prevents changing the /GenericResourceDir, /FontResourceDir,
+/SystemParamsPassword, and /StartJobPassword.
+.PP
+While SAFER mode is not the default, it is the default for many wrapper jobs
+and may be the default in a subsequent release of Ghostscript.  Thus jobs or
+programs that need to open files or set restricted parameters should pass the
+.B \-dNOSAFER
+command line option or its synonym
+.BR \-dDELAYSAFER .
+.PP
+When running with
+.B \-dNOSAFER
+it is possible to perform a "save" followed by ".setsafe", execute a file or
+procedure in SAFER mode, and then use "restore" to return to NOSAFER mode.  In
+order to prevent the save object from being restored by the foreign file or
+procedure, the ".runandhide" operator should be used to hide the save object
+from the restricted procedure.
 .SH FILES
 .PP
 The locations of many Ghostscript run-time files are compiled into the

diff --git a/gs/man/gs.1 b/gs/man/gs.1 index 423abbcc3..9cb92c473 100644 --- a/gs/man/gs.1 +++ b/gs/man/gs.1
@@ -277,8 +277,7 @@ X Windows). This may be needed if the platform fonts look undesirably
277	different from the scalable fonts.	277	different from the scalable fonts.
278	.TP	278	.TP
279	.B \-dSAFER	279	.B \-dSAFER
280	Disables the "deletefile" and "renamefile" operators and the ability to	280	Restricts file operations the script can perform. Strongly recommended for
281	open files in any mode other than read-only. This strongly recommended for
282	spoolers, conversion scripts or other sensitive environments where a badly	281	spoolers, conversion scripts or other sensitive environments where a badly
283	written or malicious PostScript program code must be prevented from changing	282	written or malicious PostScript program code must be prevented from changing
284	important files.	283	important files.
@@ -294,6 +293,40 @@ Selects an alternate initial output device, as described above.
294	.BI \-sOutputFile= filename	293	.BI \-sOutputFile= filename
295	Selects an alternate output file (or pipe) for the initial output	294	Selects an alternate output file (or pipe) for the initial output
296	device, as described above.	295	device, as described above.
		296	.SH "SAFER MODE"
		297	.PP
		298	The
		299	.B \-dSAFER
		300	option disables the "deletefile" and "renamefile" operators and prohibits
		301	opening piped commands ("%pipe%\fIcmd\fR"). Only "%stdout" and "%stderr" can be
		302	opened for writing. It also disables reading from files, except for "%stdin",
		303	files given as a command line argument, and files contained in paths given by
		304	LIBPATH and FONTPATH or specified by the system params /FontResourceDir and
		305	/GenericResourceDir.
		306	.PP
		307	This mode also sets the .LockSafetyParams parameter of the initial output device
		308	to protect against programs that attempt to write to files using the OutputFile
		309	device parameter. Since the device parameters specified on the command line,
		310	including OutputFile, are set prior to SAFER mode, use of "-sOutputFile=..." on
		311	the command line is unrestricted.
		312	.PP
		313	SAFER mode prevents changing the /GenericResourceDir, /FontResourceDir,
		314	/SystemParamsPassword, and /StartJobPassword.
		315	.PP
		316	While SAFER mode is not the default, it is the default for many wrapper jobs
		317	and may be the default in a subsequent release of Ghostscript. Thus jobs or
		318	programs that need to open files or set restricted parameters should pass the
		319	.B \-dNOSAFER
		320	command line option or its synonym
		321	.BR \-dDELAYSAFER .
		322	.PP
		323	When running with
		324	.B \-dNOSAFER
		325	it is possible to perform a "save" followed by ".setsafe", execute a file or
		326	procedure in SAFER mode, and then use "restore" to return to NOSAFER mode. In
		327	order to prevent the save object from being restored by the foreign file or
		328	procedure, the ".runandhide" operator should be used to hide the save object
		329	from the restricted procedure.
297	.SH FILES	330	.SH FILES
298	.PP	331	.PP
299	The locations of many Ghostscript run-time files are compiled into the	332	The locations of many Ghostscript run-time files are compiled into the