Hey there! When using headless LibreOffice as a PDF converter, disabling macros is a critical security step—especially in a containerized environment where you can't manually intervene with prompts. Here are two reliable methods to lock down macro execution for your setup:

Method 1: Use Command-Line Flags for One-Off or Ad-Hoc Runs #

LibreOffice 5.4.5 lets you set macro security directly via startup flags, which is perfect for quick conversions or when you want settings tied to your conversion command.

Add the --macro-security flag to your headless conversion command to block all macros entirely:

libreoffice --headless --invisible --macro-security 4 --convert-to pdf --outdir /output/path /input/file.docx

Let’s break down the key flag:

• --macro-security 4: Sets the security level to Very High, which disables all macros without any prompts. Other valid values for context:
  • 1: Low (enable all macros)
  • 2: Medium (prompt before enabling)
  • 3: High (allow only digitally signed macros)
  • 4: Very High (block all macros completely)

This method works great if you don’t need persistent settings across container restarts.

Method 2: Persist Macro Disabling via Configuration Files #

For a permanent setup (ideal when building a custom Docker image), modify LibreOffice’s user configuration to enforce macro blocking by default.

1. Locate the config directory:
   In Debian Stretch, LibreOffice 5.4.5 stores user settings at /root/.config/libreoffice/4/user/ (the "4" corresponds to the configuration version used by LibreOffice 5.x).

2. Edit the registrymodifications.xcu file:
   Add these XML entries to set macro security to the strictest level:

   <item oor:path="/org.openoffice.Office.Security/Scripting">
     <prop oor:name="MacroSecurityLevel" oor:op="fuse">
       <value>4</value>
     </prop>
   </item>
   <item oor:path="/org.openoffice.Office.Security/Scripting">
     <prop oor:name="MacroExecutionMode" oor:op="fuse">
       <value>0</value>
     </prop>
   </item>
   

   • MacroSecurityLevel=4: Enforces Very High security (blocks all macros)
   • MacroExecutionMode=0: Ensures no macros run, regardless of other overrides

3. Integrate into your Dockerfile:
   If building a custom image, copy the modified config file during the build process:

   FROM debian:stretch-9.3
   
   # Install LibreOffice 5.4.5 (adjust installation steps to match your needs)
   RUN apt-get update && apt-get install -y libreoffice=1:5.4.5-1~deb9u7
   
   # Create config directory and copy modified settings
   RUN mkdir -p /root/.config/libreoffice/4/user/
   COPY registrymodifications.xcu /root/.config/libreoffice/4/user/
   
   # Set default conversion command as entrypoint
   ENTRYPOINT ["libreoffice", "--headless", "--invisible", "--convert-to", "pdf"]
   

Verify the Setup #

Test with a document that contains macros—when you run the conversion, LibreOffice should process the file without executing any macros, and you won’t see any macro-related prompts (essential for headless mode, where there’s no UI to respond to prompts).

内容的提问来源于stack exchange，提问作者Alkis Kalogeris