Use restricted-shell-escape with TexStudio on TexLive?

Question

The package auto-pst-pdf.sty needs shell-escape to run, but shell escape is known to be seriously unsafe. Is there a possibility to tell auto-pst-pdf.sty to use restricted-shell-escape instead? I'm working on Linux Mint KDE 15 and I'm relatively new both to Linux and TeX, so be prepared for stupid questions on you answers.

You have to add latex to the list of “safe” programs, which is obviously discouraged. — egreg, Nov 28 '13 at 22:32
Hmm, what's the way to do so? But I'm not sure, if this is the problem. I think it's trying to use the normal shell-escape, which is for good reasons forbidden in TexLive. So I have to tell auto-pst-pdf to use restricted-shell-escape instead of the normal one. How do I do that? — Jörg, Nov 28 '13 at 22:36
Related: Security in autogenerated latex scripts. How to avoid LaTeX Injection? - TeX - LaTeX Stack Exchange — user202729, May 15 '22 at 13:40

egreg · Accepted Answer · 2013-11-28T23:03:01.607

There's no real difference in how restricted and unrestricted shell-escape work as far as calling the operating system is concerned.

The unrestricted shell-escape is usually enabled, but it allows running only programs listed in a special variable set in texmf.cnf; currently the list is

shell_escape_commands = bibtex,bibtex8,kpsewhich,makeindex,mpost,repstopdf,

The restricted shell escape does not create a sandbox; the listed program are trusted not to be able to make uncontrolled reads and writes: they can only write in the current directory or below it, for instance. But in the end, the same system call as with the unrestricted shell-escape is performed.

You could add latex and gs to the list, which is necessary for auto-pst-pdf to work, but this would open the same security problems as running the program with --shell-escape.

The system calls generated by auto-pst-pdf are equivalent to running the file through

latex + dvips + ps2pdf

so they should be safe. If other code in your document triggers system calls, then --shell-escape could be dangerous. Documents obtained from trusted sources (in particular written by you) shouldn't be risky. No package relying on --shell-escape has, up to my knowledge, created problems. Of course there's always the possibility of receiving malicious code from untrusted sources.

So this means if I want to keep my Linux safe I cannot use auto-pst-pdf? — Jörg, Nov 28 '13 at 22:50
@Jörg Did I say that? No. If you want a fully safe computer, just don't use it. Be cautious, that's all. In particular, auto-pst-pdf doesn't do more than you would do by running latex+dvips+ps2pdf. — egreg, Nov 28 '13 at 22:51
Ok, I interpreted your answer like that, that's why I asked again. But you are right: As long as I don't copy bad code in TexStudio and compile it, I should be save. Is that what you meant? Thanks for being patient with me :) — Jörg, Nov 28 '13 at 22:55

Use restricted-shell-escape with TexStudio on TexLive?

1 Answers1

Linked