[tex-live] Status of restricted \write18 and epstopdf conversion

Manuel Pégourié-Gonnard mpg at elzevir.fr
Tue Oct 27 10:34:14 CET 2009


Norbert Preining a écrit :
> On Di, 27 Okt 2009, Alexander Cherepanov wrote:
>> Try this:
> Honestly I see that going into a *stupid* direction.
> bash is distributed and still you can do
> 	echo > .ssh/authorized_keys
> If you trust an arbitrary tex file you got that is like trusting
> and arbitrary .sh file and running it, so it be.
I'm sorry but I disagree. Comparing tex with sh is completely
inappropriate. TeX is supposed to be a document processor, and its
documentation strongly suggest it can *not* be used to execute arbitrary
commands. (That's the whole point of \write18 being disable by default
for all these years and our efforts for developing a restricted version
this year, and you know that.)

While I understand it's depressive/annoying/whatever for us developers
that so many problems/questions are raised at this time when we are
trying to get a release sorted, we should try to avoid excessive
reactions (like comparing tex to sh) and continue to examine the
questions in a rational way.

Concerning this precise question, I already said I don't think we need
to change it quickly (if ever), for the following reasons:

1. It is the documented behaviour, ie nobody ever pretended that tex
cannot overwrite "dangerous" files.

2. Some such critical files are not dot-files nor in dot-dirs anyway
(think ~/bin). We cannot guess every possible path to critical files,
and there's probably no point in trying. The only real protection is to
process untrusted tex documents in their own directory.

(Later, it may be good to forbid dot-dirs too just for the sake of
consistency, but maybe even better to just document that the only real
protection is to process untrusted document in a directory under which
no critical file lies.)


More information about the tex-live mailing list