Page 1 of 1
Feature request: set policies per-application via api
Posted: 2016-05-05T05:49:14-07:00
by coloring
It would be great to have some way to set application policies for the current application only, eg. in MagickWand via something like
Code: Select all
MagickSetPolicy(MagickWand *wand, const char *domain, const char *name, const char *value)
I could use this for example to restrict an application that should only edit jpeg images to fail if an input image isn't of jpeg type. By using a policy file, all my imagemagick applications would be prevented from using a certain coder, which is not preferred.
Re: Feature request: set policies per-application via api
Posted: 2016-05-05T06:19:51-07:00
by magick
We had previously considered this proposal but decided against it because it makes ImageMagick less secure. When ImageMagick is installed on the system, only users than have permission to edit policy.xml can make changes to the policy. That way a system administrator can enforce system limits. For example, the system administrator could limit the memory resource ImageMagick can consume to 2GB. If a user tries to increase the limit to 4GB, for example, it won't work. However, if the user sets the memory resource limit to 1GB-- that would work.
There is a --disable-installed configure command-line script option. If you build ImageMagick with this option, you could put a user specific policy.xml file in ~/.config/ImageMagick/policy.xml to do what you need. Simply write this policy file with whatever policies you need on demand. Its not the default because it makes ImageMagick less secure and you must know the risks before you use this option.