[Tex/LaTex] How to determine what items to add to the “restricted-shell-escape” safe list


I am trying to follow the MacTeX-2012 instructions for migrating from (unsafe) shell-escape to using "restricted-shell-escape". But it is unclear to me what items to put in the file that specifies the "safe list" for this mode.

For example, if I remove shell-escape from my command line (or, disable it from the warning dialog in TeXShop), and try to use a package that requires it, like, for example, auto-pst-pdf I get an error:

"You need to run LaTeX with the equivalent of "pdflatex -shell-escape" Or turn off auto-pst-pdf."

when processing even the simplest of files:


I also notice that I get other warnings, even with this simple example, such as

"Package ifplatform Warning: Shell escape is disabled, so I can only detect \ifwindows"

and wonder if there is a way to avoid these, and the corresponding loss of functionality using "restricted-shell-escape" — or at least find out what I'm missing without scanning the log.

What items do I need to add to my texmf.cnf to get auto-pst-pdf to work without enabling shell-escape? How, in general, do I determine what items should be in this list? Are there some things that will only work with the shell-scape flag, and not with "restricted-shell-escape"; how can I determine what those are?

The (local) texmf.cnf file:

shell_escape_commands = bibtex,bibtex8,kpsewhich,makeindex,mpost,repstopdf

Best Answer

I would avoid modifying the list of programs allowed to run in the restricted shell. These are either programs that don't write out any output (and when output redirection is requested they don't work in the restricted shell escape setting) or respect the openout_any setting in texmf.cnf.

As far as the present problem is concerned, running pdflatex with shell escape enabled on the file filename.tex consists in using the command line

pdflatex -shell-escape filename

(no quotes).

How to setup a front-end to run this command depends on the front-end itself. With TeXShop, for example, one can define a new engine. In your ~/Library/TeXShop/Engines folder duplicate XeLaTeX.engine and call it pdflatexshell.engine. Modify the file (with TeXShop itself) to read


set path= (/usr/texbin /usr/local/bin $path)
pdflatex -shell-escape "$1"

and, for a file you want to compile with unrestricted shell escape, write at its beginning

% !TEX TS-program = pdflatexshell

so that the engine will be automatically selected on opening.

What to do with other front-ends or LyX will vary.

If you really want to use the restricted shell escape, you have to enable


The program list can be determined by searching for runsystem in the .log file.