8

I am trying to follow the MacTeX-2012 instructions for migrating from (unsafe) shell-escape to using "restricted-shell-escape". But it is unclear to me what items to put in the file that specifies the "safe list" for this mode.

For example, if I remove shell-escape from my command line (or, disable it from the warning dialog in TeXShop), and try to use a package that requires it, like, for example, auto-pst-pdf I get an error:

"You need to run LaTeX with the equivalent of "pdflatex -shell-escape" Or turn off auto-pst-pdf."

when processing even the simplest of files:

\documentclass{article}
\usepackage{auto-pst-pdf}
\begin{document}
Test. 
\end{document}

I also notice that I get other warnings, even with this simple example, such as

"Package ifplatform Warning: Shell escape is disabled, so I can only detect \ifwindows"

and wonder if there is a way to avoid these, and the corresponding loss of functionality using "restricted-shell-escape" -- or at least find out what I'm missing without scanning the log.

What items do I need to add to my texmf.cnf to get auto-pst-pdf to work without enabling shell-escape? How, in general, do I determine what items should be in this list? Are there some things that will only work with the shell-scape flag, and not with "restricted-shell-escape"; how can I determine what those are?

The (local) texmf.cnf file:

shell_escape_commands = bibtex,bibtex8,kpsewhich,makeindex,mpost,repstopdf
orome
  • 10,459

1 Answers1

6

I would avoid modifying the list of programs allowed to run in the restricted shell. These are either programs that don't write out any output (and when output redirection is requested they don't work in the restricted shell escape setting) or respect the openout_any setting in texmf.cnf.

As far as the present problem is concerned, running pdflatex with shell escape enabled on the file filename.tex consists in using the command line

pdflatex -shell-escape filename

(no quotes).

How to setup a front-end to run this command depends on the front-end itself. With TeXShop, for example, one can define a new engine. In your ~/Library/TeXShop/Engines folder duplicate XeLaTeX.engine and call it pdflatexshell.engine. Modify the file (with TeXShop itself) to read

#!/bin/tcsh

set path= (/usr/texbin /usr/local/bin $path)
pdflatex -shell-escape "$1"

and, for a file you want to compile with unrestricted shell escape, write at its beginning

% !TEX TS-program = pdflatexshell

so that the engine will be automatically selected on opening.

What to do with other front-ends or LyX will vary.

If you really want to use the restricted shell escape, you have to enable

uname
rm
echo
latex

The program list can be determined by searching for runsystem in the .log file.

egreg
  • 1,121,712
  • So basically, one should just run shell-excape when needed, rather than enable specific programs? That seems like a not-so-optimal solution, since instead of picking a few programs to always allow, one ends up occasionally (perhaps frequently) allowing all programs. – orome Jul 25 '12 at 21:04
  • 2
    @raxacoricofallapatorius If the document comes from an untrusted source, run it without shell escape and look for system in the log file to see what it attempted to do during compilation. – egreg Jul 25 '12 at 21:34
  • I'd still be curious: what program would I need to add to the list (on OS X) to get auto-pst-pdf to work without shell-escape? Adding gs doesn't seem to do the trick. – orome Jul 30 '12 at 23:05
  • Note that (I think?) allowing latex is effectively equivalent to allowing the whole shell escape, because the evil program can just invoke latex --shell-escape <evil TeX code>. – user202729 Dec 21 '21 at 03:22
  • In this case auto-pst-pdf explicitly check for ifshellescape (see the source code) so I guess it's necessary to load ifplatform before then invoke \shellescapetrue or something similar? – user202729 Dec 21 '21 at 03:28
  • @user202729 Reply to the first comment: yes. To the second: maybe, I didn’t check. – egreg Dec 21 '21 at 08:59