I was preparing a presentation today (for a virtual mini-conf, more details later) and I ran into an issue with ImageMagick. I solved it thanks to a post here, but as that site is mostly in Japanese, I thought it would make sense to make a post here.
Anyway, the issue is that recent versions of ImageMagick have security policies in place that weren’t there before, and the defaults are pretty restrictive. How I ran into this issue was after preparing slides for my presentation I wanted to combine all the slide images into a PDF file for easy sharing. I do this with a simple one-liner:
convert *.png slides.pdf
But when I did, I got the following error:
$ convert *.png slides.pdf convert-im6.q16: attempt to perform an operation not allowed by the security policy `PDF' @ error/constitute.c/IsCoderAuthorized/408.
Or perhaps more appropriately:
The fix turns out to be quite easy. We just have to give the
write permission to the
coder domain in ImageMagick’s security policy for the
/etc/ImageMagick-6/policy.xml file directly or with a simple
sudo sed -i_bak \ 's/rights="none" pattern="PDF"/rights="read | write" pattern="PDF"/' \ /etc/ImageMagick-6/policy.xml
Here’s the change as a diff:
$ diff -u /etc/ImageMagick-6/policy.xml_bak /etc/ImageMagick-6/policy.xml --- /etc/ImageMagick-6/policy.xml_bak 2020-11-25 11:59:18.101284981 -0500 +++ /etc/ImageMagick-6/policy.xml 2020-11-25 12:03:45.208777703 -0500 @@ -91,6 +91,6 @@ <policy domain="coder" rights="none" pattern="PS2" /> <policy domain="coder" rights="none" pattern="PS3" /> <policy domain="coder" rights="none" pattern="EPS" /> - <policy domain="coder" rights="none" pattern="PDF" /> + <policy domain="coder" rights="read | write" pattern="PDF" /> <policy domain="coder" rights="none" pattern="XPS" /> </policymap>
Now that I have added
write permissions to the
convert one-liner works perfectly as it did before all this nonsense was introduced. I’m sure the ImageMagick developers have their reasons for doing it, I just find it annoying to have to deal with it on my personal workstation.
Oh, and the ‘
policy.xml_bak‘ file created in the
sed step can be removed once you’re satisfied that the change is A-OK.