# [tex-live] Security issues for restricted shell escape

Heiko Oberdiek oberdiek at uni-freiburg.de
Sat Jul 18 01:25:54 CEST 2009

```On Fri, Jul 17, 2009 at 04:40:25PM -0500, Karl Berry wrote:

>     Setting "p" isn't much better than "1".
>
> It at least eliminates the most obvious issues, ie,
> \write18{rm -rf /}

No, I must say. It's trivial to do this. Many programs
of the list allow this, e.g.:
* epstopdf (via pipe feature, a language extension of ghostscript)
fixable by -dSAFER and further option validation.
* etex, latex, luatex, lualatex, pdflatex, pdfluatex, tex
* texexec (at least option `--paranoid' should be mandatory)
* texmfstart

>
>     The security holes are huge.
>
> I can't disagree, and I knew that (and pointed it out) when I
> implemented it.  It is a tradeoff.
>
>     * Version 1.17 closes some security holes in pdfcrop

Now 1.18 is on its way to CTAN. I have added a restricted mode:

| G. RESTRICTED MODE
| ==================
| Restricted mode is enabled if:
| * option `--restricted' is used,
| * the program is called under the name `rpdfcrop'
| * or the called program name contains `restricted'.
| This mode sets restrictions for the following options:
| * --pdftexcmd: if used, the value must be empty or `pdftex'.
| * --xetexcmd: if used, the value must be empty or `xetex'.
| * --gscmd: if used, the value must
|   * be empty or
|   * be one of the standard names (gs, gswin32c, mgs, gs386 gsos2) or
|   * consists of `gs', followed by a version number and an
|     optional `c' (Ghostscript's convention for `console version').

Therefore the recommendation should be also installing `rpdfcrop' and
using `rpdfcrop' instead of `pdfcrop' in the command list.
Or an automatically redirect would be helpful
\immediate\write18{pdfcrop ...} executes rpdfcrop in
restricted mode, configured by an entry in texmf.cnf:
shell_escape_commands = \
bibtex,...,pdfcrop=>rpdfcrop,...

Or an easy way for testing the existence of a program would
be nice (at TeX macro level).