I saw an introduction of -shell-escape
here: https://tex.stackexchange.com/a/598819/180617
I know that if I want to use a package like minted
or tkz-fct
, I have to use pdflatex --shell-escape main
to compile main.tex
. Because they call pygments
or Gnuplot
while compiling.
In that introduction, I realized that there exists a restrict shell escape
, *latex compiles .tex
with this mode.
The default setting is usually "Restricted Shell escape" this allows a small number of programs to be called by default (in a restricted form that does not allow shell redirection) these are (in a default TeX Live 2021 configuration)
bibtex
bibtex8
extractbb
gregorio
kpsewhich
makeindex
repstopdf
r-mpost
texosquery-jre8
My first question is when will pdflatex
call something like bibtex
or makeindex
while compiling? Because in my usage, I'll run bibtex main
after pdflatex main
, not in pdflatex main
.
My second question is when should I use --no-shell-escape
?
Best Answer
The
imakeidx
package for example will callmakindex
without you needing to call it explicitly.graphics
/graphicx
will callrepstopdf
in the background if including EPS files, and will callextractbb
if including PNG and other bitmap formats to get the image size.When to turn it off is a personal choice, you may want to have a behaviour closer to the texbook, where
\write18
doesn't mean run system commands, or you may want the additional security and not trust that the commands allowed in the restricted shell escape list are in fact safe.A lot of thought goes in to that list ensuring the programs don't allow elevated permissions, eg
repstopdf
is a custom configuration ofepstopdf
with any features allowing ghostscript to run external code disabled. So most people, most of the time, use the default restricted shell escape setting.