override default ImageMagick policy.xml

Question

I use ImageMagick on ubuntu-16.04 for converting pdf file into png image.

Recently, converting stop woking, because package imagemagick-common added <policy domain="coder" rights="none" pattern="PDF" /> to policy.xml file in /etc/ImageMagick-6/policy.xml

I don't want to change /etc/ImageMagick-6/policy.xml to enable PDF, because this file belongs to package and another update could rewrite this file again

$dpkg -S /etc/ImageMagick-6/policy.xml 
imagemagick-common: /etc/ImageMagick-6/policy.xml

I create configuration file in home directory

$ cat ~/.config/ImageMagick/policy.xml
<policymap>
    <policy domain="coder" rights="read|write" pattern="PDF" />
</policymap>

Seems, like this file was found and loaded:

$ identify -list policy
Path: /etc/ImageMagick-6/policy.xml
...
Policy: Coder
    rights: None 
    pattern: PDF
...
Path: /home/vasiliy/.config/ImageMagick/policy.xml
Policy: Coder
    rights: Read Write 
    pattern: PDF

But it doesn't help.

not authorized exception is raised.

How to force ImageMagic to prefer ~/.config/ImageMagick/policy.xml settings vs /etc/ImageMagick-6/policy.xml setting? Or can I use some other solution to allow PDF read|write ?

Answer 1

I've the same issue like you. By a security update ImageMagick now disallows PDF processing by default. The underlying vulnerability in ghostscript (https://www.kb.cert.org/vuls/id/332928) is already fixed but the default config is not yet changed back.

I did some experiments with ~/.config/ImageMagick/policy.xml and found out that this config is actually used and working. BUT you can't allow things that are disabled globally. You can only add further restrictions to your users processes.

So my suggestions:

1. adjust the /etc/ImageMagick-6/policy.xml
2. wait until the package maintainers decide to activate the feature again by default

UPDATE:

When using #1 you should make sure to not break your automatic updates. Maybe this will help you finding a solution: https://unix.stackexchange.com/questions/138751/unattended-upgrades-and-modified-configuration-files

Answer 2

I’ve spent a couple hours working this and finally found a relatively simple solution.

You have to tell ImageMagick to load your config file with higher precedence than the default one, which you can do by setting the MAGICK_CONFIGURE_PATH environment variable to the directory your policy.xml is in.

Answer 3

https://github.com/ImageMagick/ImageMagick/issues/1342#issuecomment-429494152

If ImageMagick is installed, only the policy in the system path is enforced, otherwise it would not be much of a security policy if it could easily be overridden. In certain cases, the user can set certain resource limits but only @ a lesser value that what the administrator sets (e.g. administrator sets a memory limit of 2GB, the user can set a limit of 1GB but not 3GB).

ImageMagick has an uninstalled build option. With that build option, ImageMagick will allow the security policy to be overridden by any policy in the paths you mention in your post.

Update (Ubuntu 18.04, 2019-10, ImageMagick 6.9.7-4 Q16 x86_64, 8:6.9.7.4+dfsg-16ubuntu6.7):

Prepending a path to MAGICK_CONFIGURE_PATH works.

/my/path/policy.xml

<policymap>
<policy domain="coder" rights="read | write" pattern="PDF" />
</policymap>

MAGICK_CONFIGURE_PATH='/my/path/:/etc/ImageMagick-6/' identify -list policy
MAGICK_CONFIGURE_PATH='/my/path/:/etc/ImageMagick-6/' identify -list resource