Stata The Stata listserver
[Date Prev][Date Next][Thread Prev][Thread Next][Date index][Thread index]

st: Security. Was: Clickable examples in ado help files


From   Ulrich Kohler <kohler@wz-berlin.de>
To   statalist@hsphsun2.harvard.edu
Subject   st: Security. Was: Clickable examples in ado help files
Date   Fri, 19 Sep 2003 09:20:46 +0200

Alan Riley wrote:
> The solution is to use the "F" package directive.  In the Stata 8
> manuals, you can read about it at the bottom of page 26 of the N-R
> Reference.  It tells Stata to treat the filename following it as
> if it were a .ado file for the purposes of placement during a
> -net install- command.  That is, if a .pkg file contained
>
>   .f myexample.ado
>   .f myexample.hlp
>   .f myexample.dta
>
> Stata would place the first two files in the PLUS/m/ user ado
> subdirectory after a -net install- and the third file in the current
> directory after a -net get-.
>
> If the .pkg file instead contained
>
>   .f myexample.ado
>   .f myexample.hlp
>   .F myexample.dta
>
> Stata would download all three files upon a -net install- and
> would place all three in the PLUS/m user ado subdirectory.

Nice trick! However I wonder how far the "F" package directive introduces a 
security problem. What happens if a malicious person puts a virus into   
myexample.exe and let the user download this program with the "F" directive? 
In this case myexample.ado could enclose a caller to myexample.exe. Clearly 
this would be possible with the "f"-directive as well, but in this case 
myexample.ado can not really know where myexample.exe is stored.

This touches the wider issue about security and -net install-. I once talked 
to network administrator who was very hesitant about this issue. It would be 
nice to hear something to convince him.

And, yes, I know there isn't any malicious person in the Stata community.

uli

-- 
kohler@wz-berlin.de


*
*   For searches and help try:
*   http://www.stata.com/support/faqs/res/findit.html
*   http://www.stata.com/support/statalist/faq
*   http://www.ats.ucla.edu/stat/stata/



© Copyright 1996–2021 StataCorp LLC   |   Terms of use   |   Privacy   |   Contact us   |   What's new   |   Site index