1.4.2  Low-Level Configuration

This section tells you how to manually specify explicit directories for read/write access, if the standard settings aren't suitable. First we need to cover what is and isn't protected by default.

1.4.2.1  Overall Concept

The overall concept of the I/O Restrictions, when enabled, is that everything is denied unless it is explicitly allowed (with one or two exceptions). So unless you add a directory to the 'allowed' list, unless it is the current directory and the 'Permit Read/Write in Current Directory' option is checked, then the directory in question is not permitted to be accessed.

The exceptions are as follows:

1. The installation directory of POV-Ray for Unix, as defined at compile-time, is permitted to be used for read (but not write). This includes all subdirectories of the install directory (except as below). Note that you can alter this setting if you like.
2. The INI subdirectory contained within the POV-Ray for Unix install directory, as defined at compile-time, is permanently write-protected (unless the I/O Restriction system is turned off). Even if you grant permission to write this dir from the below INI file, writes will not succeed. This is to prevent the INI file that contains the I/O Restriction configuration from being modified by a script to grant itself more access next time povray is run.

1.4.2.2  Adding or Changing Allowed Directories

To add or change allowed directories, you'll need to modify the file <SYSCONFDIR>povray.conf, where <SYSCONFDIR> is the system configuration directory for POV-Ray for Unix (typically either /usr/local/etc or /etc).

Within povray.conf you ought to see two sections like the following ... (note that the actual contents of the installed version are slightly different from this example)

[Permitted Input Paths]
1=%INSTALLDIR%

[Permitted Output Paths]
1=%INSTALLDIR%

%INSTALLDIR% resolves to the location that POV was installed. It would be legal to say something like -

  
%INSTALLDIR%/scenes

for example, to refer to (say) /usr/local/share/povray35/scenes, assuming you installed povray into '/usr/local/share/povray35'.

Note that the installdir location does not relate to where the binary is run from - it relates to the information defined at compile-time. Relative paths are legal as well, and will be resolved only once at load time (but relative to the current directory, not the installdir). For example, a relative path like the following ...

[Permitted Output Paths]
1=../output

would be resolved with relation to the current directory at the time POV-Ray for Unix was started, so if you started povray while in the directory ~/myscenes/newscene, then the above path would be resolved as ~/myscenes/output. Please note that the actual location of the povray binary is not relevent here - it is the current directory that matters (which is typically not that of the program).

A directory placed in the permitted input paths section only allows read. One placed in the output paths section permits both read and write; write permission is inferred to mean read permission. This means you don't need to duplicate entries (the above example shows such a duplication - it is not harmful, just unnecessary). You can have up to 64 entries (numbered 0..63) in each section.

An entry in the permitted paths sections gives permission not only for that directory, but all the ones below it (note that this is different from the 'permit read/write in current directory' option mentioned earlier, which only applies to that one directory alone, and not those below it).

A reminder that, as mentioned above, if write protection is turned on at all, the <installdir>/ini directory is always write-protected, and nothing in the above permission sections can allow it. This is to prevent a script from modifying povray.conf to remove or alter the I/O Restrictions for the next time that povray runs.