5

Possible Duplicate:
How can I safely compile other people's LaTeX documents?

I've got a Linux server that is rendering LaTeX documents, I want to disable the access of LaTeX to system files such as /etc/passwd etc. Is it possible by anyway?

Community
  • 1
Dig
  • 291

2 Answers2

10

You want to the "paranoid" setting in your texmf.cnf file

% Allow TeX \openin, \openout, or \input on filenames starting with `.'
% (e.g., .rhosts) or outside the current tree (e.g., /etc/passwd)?
% a (any)        : any file can be opened.
% r (restricted) : disallow opening "dotfiles".
% p (paranoid)   : as `r' and disallow going to parent directories, and
%                  restrict absolute paths to be under $TEXMFOUTPUT.
openout_any = p
openin_any = a
David Carlisle
  • 757,742
1

you should also use the default setting of TeXLive:

% Enable system commands via \write18{...}.  When enabled fully (set to
% t), obviously insecure.  When enabled partially (set to p), only the
% commands listed in shell_escape_commands are allowed.  Although this
% is not fully secure either, it is much better, and so useful that we
% enable it for everything but bare tex.
shell_escape = p

% No spaces in this command list.
% 
% The programs listed here are as safe as any we know: they either do
% not write any output files, respect openout_any, or have hard-coded
% restrictions similar or higher to openout_any=p.  They also have no
% features to invoke arbitrary other programs, and no known exploitable
% bugs.  All to the best of our knowledge.  They also have practical use
% for being called from TeX.
% 
shell_escape_commands = \
bibtex,bibtex8,\
kpsewhich,\
makeindex,\
repstopdf,\
  • This is the default and it's not necessary to repeat it in the top-level texmf.cnf file. – egreg Jun 02 '12 at 19:27
  • did I said something different? It is important that it isn't overwritten by a local config file! –  Jun 02 '12 at 19:46