[Tex/LaTex] How to determine what items to add to the “restricted-shell-escape” safe list

packagesshell-escape

I am trying to follow the MacTeX-2012 instructions for migrating from (unsafe) shell-escape to using "restricted-shell-escape". But it is unclear to me what items to put in the file that specifies the "safe list" for this mode.

For example, if I remove shell-escape from my command line (or, disable it from the warning dialog in TeXShop), and try to use a package that requires it, like, for example, auto-pst-pdf I get an error:

"You need to run LaTeX with the equivalent of "pdflatex -shell-escape" Or turn off auto-pst-pdf."

when processing even the simplest of files:

\documentclass{article}
\usepackage{auto-pst-pdf}
\begin{document}
Test. 
\end{document}

I also notice that I get other warnings, even with this simple example, such as

"Package ifplatform Warning: Shell escape is disabled, so I can only detect \ifwindows"

and wonder if there is a way to avoid these, and the corresponding loss of functionality using "restricted-shell-escape" — or at least find out what I'm missing without scanning the log.

What items do I need to add to my texmf.cnf to get auto-pst-pdf to work without enabling shell-escape? How, in general, do I determine what items should be in this list? Are there some things that will only work with the shell-scape flag, and not with "restricted-shell-escape"; how can I determine what those are?

The (local) texmf.cnf file:

shell_escape_commands = bibtex,bibtex8,kpsewhich,makeindex,mpost,repstopdf

Best Answer

I would avoid modifying the list of programs allowed to run in the restricted shell. These are either programs that don't write out any output (and when output redirection is requested they don't work in the restricted shell escape setting) or respect the openout_any setting in texmf.cnf.

As far as the present problem is concerned, running pdflatex with shell escape enabled on the file filename.tex consists in using the command line

pdflatex -shell-escape filename

(no quotes).

How to setup a front-end to run this command depends on the front-end itself. With TeXShop, for example, one can define a new engine. In your ~/Library/TeXShop/Engines folder duplicate XeLaTeX.engine and call it pdflatexshell.engine. Modify the file (with TeXShop itself) to read

#!/bin/tcsh

set path= (/usr/texbin /usr/local/bin $path)
pdflatex -shell-escape "$1"

and, for a file you want to compile with unrestricted shell escape, write at its beginning

% !TEX TS-program = pdflatexshell

so that the engine will be automatically selected on opening.

What to do with other front-ends or LyX will vary.

If you really want to use the restricted shell escape, you have to enable

uname
rm
echo
latex

The program list can be determined by searching for runsystem in the .log file.

Related Solutions

[Tex/LaTex] Equivalent to TeXLive’s –restricted-shell-escape for MiKTeX

MiKTeX includes the option --restrict-write18 to allow a restricted set of commands to be run: this is enabled by default with an up-to-date MiKTeX. However, to allow this to work with minted there are two additional issues. First, you need to add pygmentize to the list of allowed commands: a separate question on this (probably for the 'general case') would be best. Secondly, minted checks for fully-enabled \write18 before it will even run: circumventing this would require a modified version of the package or a request to the package author to change the code.

As an aside, TeX Live runs fine on Windows, but of course you'd still have to deal with the two caveats.

[Tex/LaTex] Use restricted-shell-escape with TexStudio on TexLive

There's no real difference in how restricted and unrestricted shell-escape work as far as calling the operating system is concerned.

The unrestricted shell-escape is usually enabled, but it allows running only programs listed in a special variable set in texmf.cnf; currently the list is

shell_escape_commands = bibtex,bibtex8,kpsewhich,makeindex,mpost,repstopdf,

The restricted shell escape does not create a sandbox; the listed program are trusted not to be able to make uncontrolled reads and writes: they can only write in the current directory or below it, for instance. But in the end, the same system call as with the unrestricted shell-escape is performed.

You could add latex and gs to the list, which is necessary for auto-pst-pdf to work, but this would open the same security problems as running the program with --shell-escape.

The system calls generated by auto-pst-pdf are equivalent to running the file through

latex + dvips + ps2pdf

so they should be safe. If other code in your document triggers system calls, then --shell-escape could be dangerous. Documents obtained from trusted sources (in particular written by you) shouldn't be risky. No package relying on --shell-escape has, up to my knowledge, created problems. Of course there's always the possibility of receiving malicious code from untrusted sources.

Best Answer

Related Solutions

[Tex/LaTex] Equivalent to TeXLive’s –restricted-shell-escape for MiKTeX

[Tex/LaTex] Use restricted-shell-escape with TexStudio on TexLive

Related Question