22

I use ImageMagick on ubuntu-16.04 for converting pdf file into png image.

Recently, converting stop woking, because package imagemagick-common added <policy domain="coder" rights="none" pattern="PDF" /> to policy.xml file in /etc/ImageMagick-6/policy.xml

I don't want to change /etc/ImageMagick-6/policy.xml to enable PDF, because this file belongs to package and another update could rewrite this file again

$dpkg -S /etc/ImageMagick-6/policy.xml 
imagemagick-common: /etc/ImageMagick-6/policy.xml

I create configuration file in home directory

$ cat ~/.config/ImageMagick/policy.xml
<policymap>
    <policy domain="coder" rights="read|write" pattern="PDF" />
</policymap>

Seems, like this file was found and loaded:

$ identify -list policy
Path: /etc/ImageMagick-6/policy.xml
...
Policy: Coder
    rights: None 
    pattern: PDF
...
Path: /home/vasiliy/.config/ImageMagick/policy.xml
Policy: Coder
    rights: Read Write 
    pattern: PDF

But it doesn't help.

not authorized exception is raised.

How to force ImageMagic to prefer ~/.config/ImageMagick/policy.xml settings vs /etc/ImageMagick-6/policy.xml setting? Or can I use some other solution to allow PDF read|write ?

user6403354
  • 223
  • 1
  • 2
  • 5
  • 1
    You can only make your custom policy.xml more strict. You need to have the main one edited to change the PDF entry to read|write – fmw42 Nov 08 '18 at 17:04

5 Answers5

18

I've the same issue like you. By a security update ImageMagick now disallows PDF processing by default. The underlying vulnerability in ghostscript (https://www.kb.cert.org/vuls/id/332928) is already fixed but the default config is not yet changed back.

I did some experiments with ~/.config/ImageMagick/policy.xml and found out that this config is actually used and working. BUT you can't allow things that are disabled globally. You can only add further restrictions to your users processes.

So my suggestions:

  1. adjust the /etc/ImageMagick-6/policy.xml
  2. wait until the package maintainers decide to activate the feature again by default

UPDATE:

When using #1 you should make sure to not break your automatic updates. Maybe this will help you finding a solution: https://unix.stackexchange.com/questions/138751/unattended-upgrades-and-modified-configuration-files

tuomassalo
  • 8,717
  • 6
  • 48
  • 50
Martin Sommer
  • 196
  • 1
  • 5
8

I’ve spent a couple hours working this and finally found a relatively simple solution.

You have to tell ImageMagick to load your config file with higher precedence than the default one, which you can do by setting the MAGICK_CONFIGURE_PATH environment variable to the directory your policy.xml is in.

Drarok
  • 3,612
  • 2
  • 31
  • 48
  • 2
    The command `MAGICK_CONFIGURE_PATH=$HOME/.config/ImageMagick mogrify -format png test.pdf` didn't work for me, still `not authorized`. My policy.xml is the same as in the question. What did I do wrong? Can you add a specific example to your answer? – Fritz Apr 11 '19 at 07:36
  • What's in your `policy.xml` file? All I did is copy the default, edit the parts I needed to change, and set `MAGICK_CONFIGURE_PATH=/app/.magick` You can check if it's finding and loading the file using `identify -list policy` – Drarok Apr 12 '19 at 08:48
6

https://github.com/ImageMagick/ImageMagick/issues/1342#issuecomment-429494152

If ImageMagick is installed, only the policy in the system path is enforced, otherwise it would not be much of a security policy if it could easily be overridden. In certain cases, the user can set certain resource limits but only @ a lesser value that what the administrator sets (e.g. administrator sets a memory limit of 2GB, the user can set a limit of 1GB but not 3GB).

ImageMagick has an uninstalled build option. With that build option, ImageMagick will allow the security policy to be overridden by any policy in the paths you mention in your post.

Update (Ubuntu 18.04, 2019-10, ImageMagick 6.9.7-4 Q16 x86_64, 8:6.9.7.4+dfsg-16ubuntu6.7):

Prepending a path to MAGICK_CONFIGURE_PATH works.

/my/path/policy.xml

<policymap>
<policy domain="coder" rights="read | write" pattern="PDF" />
</policymap>

MAGICK_CONFIGURE_PATH='/my/path/:/etc/ImageMagick-6/' identify -list policy
MAGICK_CONFIGURE_PATH='/my/path/:/etc/ImageMagick-6/' identify -list resource
hrvoj3e
  • 2,512
  • 1
  • 23
  • 22
  • 2
    I have 6.9.11, and although I can add to the policy I cannot re-enable disabled things. This is a very dumb design decision; if I can run commands I should be able to override the system policy. In the best cases users have root access and change the policy for everyone on the system! If that's not scary enough, then there's the other option of compiling your own ImageMagic to bypass this, then most likely the user-compiled version will not be updated or checked for vulnerabilities, leading to potential additional risks. – Thomas Guyot-Sionnest Aug 27 '22 at 13:49
0

I had this issue while adding a php extension for a moodle plugin. Here my fix: I changed this in /etc/ImageMagick-6/policy.xml

<policy domain="coder" rights="none" pattern="PDF" />

to this

 <policy domain="coder" rights="read | write" pattern="PDF" />
Paul
  • 23
  • 1
  • 3
0

For Windows OS:

Under Windows, ImageMagick searches for these configuration files in the 
following order, and loads them if found:

$MAGICK_CONFIGURE_PATH
<windows registry>
$PREFIX/config
$USERPROFILE/.config/ImageMagick
<client path>

Thus you can run the next command in cmd.exe to open the environmental variables editor:

START "" "%SystemRoot%\System32\rundll32.exe" "%SystemRoot%\System32\sysdm.cpl",EditEnvironmentVariables

Then click one of the 'New buttons' and enter:

Variable Name: MAGICK_CONFIGURE_PATH
Variable Value: PATH\TO\THE\INSTALL\DIR\ROOT ( It may be something like this C:\Program Files\ImageMagick)

Then restart any open cmd.exe windows to update the variables and give it a test!

slyfox1186
  • 301
  • 1
  • 13