None of the programs in the TeX system require any special system privileges, so there's no first-level security concern of people gaining illegitimate root access.
A TeX document, however, can write to arbitrary files, e.g., `~/.rhosts', and thus an unwitting user who runs TeX on a random document is vulnerable to a trojan horse attack. This loophole is closed by default, but you can be permissive if you so desire in `texmf.cnf'. See section `tex invocation' in Web2c. MetaPost has the same issue.
Dvips, Xdvi, and TeX can also execute shell commands under some circumstances. To disable this, see the `-R' option in section `Option details' in Dvips, the xdvi man page, and section `tex invocation' in Web2c, respectively.
Another security issue arises because it's very useful--almost
necessary--to make arbitrary fonts on user demand with MakeTeXPK
and friends. Where do these files get installed? By default, the
MakeTeXPK distributed with Kpathsea assumes a globally writable
`texmf' tree; this is the simplest and most convenient approach,
but it may not suit your situation.
The first restriction you can apply is to make newly-created directories under `texmf' be append-only with an option in `MakeTeXnames.cnf'. See section `MakeTeX' configuration.
Another approach is to establish a group (or user) for TeX files,
make the `texmf' tree writable only to that group (or user), and
make MakeTeXPK et al. setgid to that group (or setuid to that
user). Then users must invoke the scripts to install things. (If
you're worried about the inevitable security holes in scripts, then you
could write a C wrapper to exec the script.)
Finally, using a central writable `texmf' tree may be completely impossible, because it's on an NFS filesystem that you cannot export read/write, or AFS is in use, or simply because "it's policy". Then you must resort to each user's machine having its own local directory of dynamically-created fonts; again, `MakeTeXnames.cnf' has an option to do this, and again, see section `MakeTeX' configuration.
Go to the first, previous, next, last section, table of contents.