diff options
-rw-r--r-- | gs/man/gs.1 | 37 |
1 files changed, 35 insertions, 2 deletions
diff --git a/gs/man/gs.1 b/gs/man/gs.1 index 423abbcc3..9cb92c473 100644 --- a/gs/man/gs.1 +++ b/gs/man/gs.1 | |||
@@ -277,8 +277,7 @@ X Windows). This may be needed if the platform fonts look undesirably | |||
277 | different from the scalable fonts. | 277 | different from the scalable fonts. |
278 | .TP | 278 | .TP |
279 | .B \-dSAFER | 279 | .B \-dSAFER |
280 | Disables the "deletefile" and "renamefile" operators and the ability to | 280 | Restricts file operations the script can perform. Strongly recommended for |
281 | open files in any mode other than read-only. This strongly recommended for | ||
282 | spoolers, conversion scripts or other sensitive environments where a badly | 281 | spoolers, conversion scripts or other sensitive environments where a badly |
283 | written or malicious PostScript program code must be prevented from changing | 282 | written or malicious PostScript program code must be prevented from changing |
284 | important files. | 283 | important files. |
@@ -294,6 +293,40 @@ Selects an alternate initial output device, as described above. | |||
294 | .BI \-sOutputFile= filename | 293 | .BI \-sOutputFile= filename |
295 | Selects an alternate output file (or pipe) for the initial output | 294 | Selects an alternate output file (or pipe) for the initial output |
296 | device, as described above. | 295 | device, as described above. |
296 | .SH "SAFER MODE" | ||
297 | .PP | ||
298 | The | ||
299 | .B \-dSAFER | ||
300 | option disables the "deletefile" and "renamefile" operators and prohibits | ||
301 | opening piped commands ("%pipe%\fIcmd\fR"). Only "%stdout" and "%stderr" can be | ||
302 | opened for writing. It also disables reading from files, except for "%stdin", | ||
303 | files given as a command line argument, and files contained in paths given by | ||
304 | LIBPATH and FONTPATH or specified by the system params /FontResourceDir and | ||
305 | /GenericResourceDir. | ||
306 | .PP | ||
307 | This mode also sets the .LockSafetyParams parameter of the initial output device | ||
308 | to protect against programs that attempt to write to files using the OutputFile | ||
309 | device parameter. Since the device parameters specified on the command line, | ||
310 | including OutputFile, are set prior to SAFER mode, use of "-sOutputFile=..." on | ||
311 | the command line is unrestricted. | ||
312 | .PP | ||
313 | SAFER mode prevents changing the /GenericResourceDir, /FontResourceDir, | ||
314 | /SystemParamsPassword, and /StartJobPassword. | ||
315 | .PP | ||
316 | While SAFER mode is not the default, it is the default for many wrapper jobs | ||
317 | and may be the default in a subsequent release of Ghostscript. Thus jobs or | ||
318 | programs that need to open files or set restricted parameters should pass the | ||
319 | .B \-dNOSAFER | ||
320 | command line option or its synonym | ||
321 | .BR \-dDELAYSAFER . | ||
322 | .PP | ||
323 | When running with | ||
324 | .B \-dNOSAFER | ||
325 | it is possible to perform a "save" followed by ".setsafe", execute a file or | ||
326 | procedure in SAFER mode, and then use "restore" to return to NOSAFER mode. In | ||
327 | order to prevent the save object from being restored by the foreign file or | ||
328 | procedure, the ".runandhide" operator should be used to hide the save object | ||
329 | from the restricted procedure. | ||
297 | .SH FILES | 330 | .SH FILES |
298 | .PP | 331 | .PP |
299 | The locations of many Ghostscript run-time files are compiled into the | 332 | The locations of many Ghostscript run-time files are compiled into the |