;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; ; PERSISTENCE OF VISION RAY TRACER ; ; POV-Ray VERSION 3.7 ; ; SAMPLE POVRAY.CONF FILE ; FOR I/O RESTRICTIONS SETTINGS ; ; ; The general form of the options is: ; ; [Section] ; setting ; ; Note: characters after a semi-colon are treated as a comment. ; ; This file is used primarily to define security settings, i.e. to ; restrict reading and writing of files and running of scripts beyond ; the security provided by the file system. Regardless of the settings ; in this file, POV-Ray will not allow users to read files they would ; not ordinarily be allowed to read, write files they would not ; ordinarily be allowed to write, or execute files they would not ; ordinarily be allowed to execute, unless someone has made the binary ; setuid or setgid. ; ; POV-Ray will look in two places for this file: in a system-wide directory ; (typically /usr/local/etc/povray/3.7/povray.conf) and in the user's home ; directory (as ~/.povray/3.7/povray.conf). POV-Ray will always use the ; most strict version of what is specified; user settings can only make ; security more strict. ; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; [File I/O Security] determines whether POV-Ray will be allowed to perform ; read-write operations on files. Specify one of the 3 following values: ; - "none" means that there are no restrictions other than those enforced ; by the file system, i.e. normal UNIX file and directory permissions. ; - "read-only" means that files may be read without restriction. ; - "restricted" means that files access is subject to restrictions as ; specified in the rest of this file. See the other variables for details. [File I/O Security] ;none ; all read and write operations on files are allowed. ;read-only ; uses the "read+write" directories for writing (see below). restricted ; uses _only_ "read" and "read+write" directories for file I/O. ; [Shellout Security] determines whether POV-Ray will be allowed to call ; scripts (e.g. Post_Frame_Command) as specified in the documentation. ; Specify one of the 2 following values: ; - "allowed" means that shellout will work as specified in the documentation. ; - "forbidden" means that shellout will be disabled. [Shellout Security] ;allowed forbidden ; [Permitted Paths] specifies a list of directories for which reading or ; reading + writting is permitted (in those directories and optionnally ; in their descendents). Any entry of the directory list is specified on ; a single line. These paths are only used when the file I/O security ; is enabled (i.e. "read-only" or "restricted"). ; ; The list entries must be formatted as following: ; read = directory ; read-only directory ; read* = directory ; read-only directory including its descendents ; read+write = directory ; read/write directory ; read+write* = directory ; read/write directory including its descendents ; where directory is a string (to be quoted or doubly-quoted if it contains ; space caracters; see the commented example below). Any number of spaces ; can be placed before and after the equal sign. Read-only and read/write ; entries can be specified in any order. ; ; Both relative and absolute paths are possible (which makes "." particularly ; useful for defining the current working directory). The POV-Ray install ; directory (e.g. /usr/local/share/povray-3.7 or /usr/share/povray-3.7) ; can be specified with "%INSTALLDIR%". The install directory and its ; descendents are typically only writable by root; therefore you should not ; specify "%INSTALLDIR%" in read/write directory paths. The user home ; directory can be specified with "%HOME%". ; ; Note that since user-level restrictions are at least as strict as system- ; level restrictions, any paths specified in the system-wide povray.conf ; will also need to be specified in the user povray.conf file. [Permitted Paths] ;read = "/this/directory/contains space caracters" read* = %INSTALLDIR%/include read* = %INSTALLDIR%/scenes read* = %INSTALLDIR%/../../etc read* = %HOME% read+write* = /tmp read+write = .