If you’ve ever tried to convert a PDF file using ImageMagick and encountered an error like this:
convert: attempt to perform an operation not allowed by the security policy `PDF' @ error/constitute.c/IsCoderAuthorized/408.
You’re not alone. This frustrating error has affected thousands of developers and system administrators since ImageMagick implemented stricter security policies. In this comprehensive guide, I’ll walk you through why this happens and how to fix it properly, based on my experience working with ImageMagick across various Linux distributions.
Understanding the Problem
Why Does ImageMagick Block PDF Conversion?
The restriction on PDF processing wasn’t implemented to make your life difficult. In late 2018, a serious security vulnerability (CVE-2018-16509) was discovered in Ghostscript, the backend processor that ImageMagick uses to handle PDF files. This vulnerability could allow malicious PDF files to execute arbitrary code on your system.
As a quick protective measure, many Linux distributions updated their ImageMagick packages to disable PDF processing entirely through policy files. This was especially important for web servers where users might upload arbitrary files that get processed by ImageMagick.
Read: Linux PDF Merge and Split: How to Combine and Separate PDF Documents
How to Enable PDF Conversion in ImageMagick
Before making any changes, it’s important to check your Ghostscript version:
gs --version
If your version is 9.24 or newer, the vulnerability has been patched and you can safely re-enable PDF processing. Let’s look at several solutions depending on your Linux distribution and needs.
Read: How to display Images in the command line in Linux/Ubuntu
Solution 1: Modifying the Policy File (Most Common Approach)
The first step is to locate your ImageMagick policy file. The location varies depending on your ImageMagick version and distribution:
- For ImageMagick 6:
/etc/ImageMagick-6/policy.xml - For ImageMagick 7:
/etc/ImageMagick-7/policy.xml
Option A: Change Rights from “none” to “read | write”
Open the policy file with root privileges:
sudo nano /etc/ImageMagick-6/policy.xml
Find the line that restricts PDF processing. It usually looks like:
<policy domain="coder" rights="none" pattern="PDF" />
Change it to:
<policy domain="coder" rights="read | write" pattern="PDF" />
Save the file and exit the editor (Ctrl+X, then Y in nano).
Option B: Comment Out the Restriction
Alternatively, you can comment out the line entirely:
<!-- <policy domain="coder" rights="none" pattern="PDF" /> -->
Option C: Remove the Entire Ghostscript Restriction Block
On newer Ubuntu systems (19.04 and later), you might find a block of code like this:
<!-- disable ghostscript format types -->
<policy domain="coder" rights="none" pattern="PS" />
<policy domain="coder" rights="none" pattern="PS2" />
<policy domain="coder" rights="none" pattern="PS3" />
<policy domain="coder" rights="none" pattern="EPS" />
<policy domain="coder" rights="none" pattern="PDF" />
<policy domain="coder" rights="none" pattern="XPS" />
You can remove this entire block or comment it out, especially if you have an up-to-date Ghostscript version.
A quick way to do this with a single command:
sudo sed -i '/disable ghostscript format types/,+6d' /etc/ImageMagick-6/policy.xml
Solution 2: For Arch Linux Users
Arch Linux users might find a slightly different configuration. You might need to:
- Comment out this line in the policy file:
<policy domain="delegate" rights="none" pattern="gs" />
- Or modify this line if it exists:
<policy domain="coder" rights="none" pattern="{PS,PS2,PS3,EPS,PDF,XPS}" />
Change it to:
<policy domain="coder" rights="read | write" pattern="{PS,PS2,PS3,EPS,PDF,XPS}" />
Solution 3: Use Ghostscript Directly (Most Secure Option)
If you’re concerned about security but still need to convert PDF files, consider bypassing ImageMagick and using Ghostscript directly:
gs -dSAFER -r600 -sDEVICE=pngalpha -o output.png input.pdf
This command:
- Uses the
-dSAFERflag to run in safe mode - Sets rendering resolution to 600 DPI
- Outputs directly to PNG format
For JPEG output, use -sDEVICE=jpeg instead.
After Making Changes: Important Steps
After modifying the policy file, you may need to:
- Restart Related Services – If you’re using ImageMagick through a web server or PHP:
# For Apache with PHP-FPM
sudo systemctl restart php7.4-fpm.service # Adjust version as needed
sudo systemctl restart apache2
# For Nginx with PHP-FPM
sudo systemctl restart php7.4-fpm.service
sudo systemctl restart nginx
- For PHP Applications – If PHP-Imagick is involved, you might need to reinstall it:
sudo apt remove php-imagick
sudo apt update
sudo apt install php-imagick
Testing Your Configuration
Let’s verify that PDF conversion now works:
convert -density 300 sample.pdf sample.png
If no errors appear and you see output files created, congratulations! You’ve successfully fixed the issue.
Security Considerations
Before closing, I should emphasize some important security aspects:
- Only enable PDF processing if you need it – If you’re running a public web server, consider whether you actually need to allow PDF processing.
- Keep your system updated – Make sure Ghostscript and ImageMagick are regularly updated.
- Consider reverting changes after use – If you only occasionally need PDF conversion, consider reverting the policy file changes afterward.
- Use file validation – If accepting user uploads, implement thorough validation beyond just checking file extensions.
- Consider process isolation – For high-security environments, run conversion processes in isolated containers.
Conclusion
The ImageMagick PDF security policy restriction was implemented for good reasons, but now that Ghostscript has been patched, you can safely re-enable PDF processing if you’re running up-to-date software.
I hope this guide helped you solve your PDF conversion issues! Let me know in the comments if you have any questions or if you’ve found other solutions.
FAQ
Why was this restriction implemented in the first place?
The restriction was implemented as a security measure to protect against a vulnerability in Ghostscript (CVE-2018-16509) that could allow arbitrary code execution through specially crafted PDF files.
Do I need to worry about security if I enable PDF processing?
If you’re using Ghostscript 9.24 or newer, the original vulnerability has been patched. However, it’s always good practice to be cautious with file processing, especially if you’re accepting files from untrusted sources.
Why do I need to restart services after changing the policy file?
Services like PHP-FPM load the ImageMagick configuration when they start, so they need to be restarted to pick up the new policy settings.
Will this solution work for all Linux distributions?
The general approach works across distributions, but file paths and exact policy configurations might differ. The article covers Ubuntu, Debian, and Arch Linux specifically.
Is it better to modify rights or comment out the policy line?
Either approach works effectively. Modifying rights to “read | write” is slightly more explicit about your intentions, while commenting out removes the restriction entirely.
How can I check if my changes were successful?
Try converting a PDF file using the convert command as shown in the testing section. If it completes without errors and produces output files, your changes worked.
Can I use ImageMagick for batch PDF processing now?
Yes, once you’ve enabled PDF processing, you can use ImageMagick for batch operations on PDF files just like with any other supported format.
If you like the content, we would appreciate your support by buying us a coffee. Thank you so much for your visit and support.
