restricted mode の件(お詫びと補足)

restricted mode の件(お詫びと補足)

- ut の投稿
返信数: 3

# なんか、お詫びや訂正をしてばかりのような気がしますけれど…。
#
# 元々のトピックの本題からは外れていますので、そちらには追記せずに、
# こちらに新たなトピックとさせていただきました。すいません。

昨日、

  Re: タイプセットが出来なくなりました
  2021年 05月 15日(土曜日) 11:02 - ut   の投稿
  https://okumuralab.org/tex/mod/forum/discuss.php?d=3118&parent=18630

という投稿で:

> で、現在では多くの場合 “restricted \write18 enabled.” となっているのは、texmf.cnf
> で shell_escape_commands が設定されているからですよね。

と書いてしまいましたが、ちょっと端折り過ぎというか、これでは、因果関係が
逆でした(自分では分かっていたつもりなのですが、説明がよくありませんでした)。
申し訳ありません。

restricted mode がデフォルトで、その除外リストが shell_escape_commands
ですよね…。


ちゃんと説明されている文書を探してみました:

----------------------------------------------------------------------
web2c.pdf
(Copyright 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004,
2005, 2007, 2008, 2009, 2010-2021 Karl Berry & Olaf Weber.)

5 TeX: Typesetting
5.5 Shell escapes

TeX can execute shell escapes, that is, arbitrary shell commands. Although
tremendously useful, this also has obvious security implications. Therefore,
as of TeX Live 2009, a restricted mode for shell escapes is the default mode
of operation, which allows executing only certain commands, as specified in
the texmf.cnf configuration file.

----------------------------------------------------------------------
texlive-en.pdf
(Karl Berry, editor, July 2010)

10 Release history
10.2 Present

A related change is that execution of a very few external commands from TeX,
via the \write18 feature, is now enabled by default. These are commands are
repstopdf, makeindex, kpsewhich, bibtex, and bibtex8; the list is defined in
texmf.cnf. Environments which must disallow all such external commands can
deselect this option in the installer (see section 3.2.4), or override the
value after installation by running tlmgr conf texmf shell_escape 0.

----------------------------------------------------------------------
ut への返信

Re: restricted mode の件(お詫びと補足)

- ut の投稿

# しつこくてすいません…。

更に補足情報です:

------------------------------------------------------------
TeX Live: texmf.cnf [Apr 29 2009]

% Enable system commands via \write18{...}?  Obviously insecure, despite
% being so useful.
shell_escape = f

------------------------------------------------------------
TeX Live: texmf.cnf [May 19 2009]

% Enable system commands via \write18{...}.  When enabled fully (set to
% 1), obviously insecure.  When enabled partially (set to p), only the
% commands listed in shell_escape_commands are allowed.  Although this
% is not fully secure either, it is much better, and so useful that we
% enable it for everything but bare tex.
shell_escape = p

% No spaces in this command list.
shell_escape_commands = \
bibtex,convert,dvips,epstopdf,epspdf,etex,fc-match,gnuplot,\
kpsewhich,latex,luatex,lualatex,makeindex,mpost,\
pdfcrop,pdflatex,pdfluatex,ps2pdf,ps4pdf,pstopdf,pygmentize,\
tex,texexec,texmfstart,ulqda\

------------------------------------------------------------
TeX Live: texmf.cnf [May 18 2010]

% Enable system commands via \write18{...}.  When enabled fully (set to
% t), obviously insecure.  When enabled partially (set to p), only the
% commands listed in shell_escape_commands are allowed.  Although this
% is not fully secure either, it is much better, and so useful that we
% enable it for everything but bare tex.
shell_escape = p

% No spaces in this command list.  These programs either do not write
% any output files, respect openout_any, or have hard-coded restrictions similar
% or higher to openout_any=p.  And have no features (nor, to the best of our
% knowledge, obvious security holes) to invoke arbitrary other programs.
%
% Unfortunately we found too many problems with shell_escape=p, so it
% should be treated as though it were just as dangerous as shell_escape=t.
shell_escape_commands = \
bibtex,bibtex8,\
kpsewhich,\
makeindex,\
repstopdf,\

% we'd like to allow:
% dvips - but external commands can be executed, need at least -R1.
% epspdf, ps2pdf, pstopdf - need to respect openout_any,
%  and gs -dSAFER must be used and check for shell injection with filenames.
% (img)convert (ImageMagick) - delegates.mgk possible misconfig, besides,
%  without Unix convert it hardly seems worth it, and Windows convert
%  is something completely different that destroys filesystems, so skip.
% pygmentize - but is the filter feature insecure?
% ps4pdf - but it calls an unrestricted latex.
% rpdfcrop - maybe ok, but let's get experience with repstopdf first.
% texindy,xindy - but is the module feature insecure?
% ulqda - but requires optional SHA1.pm, so why bother.
% tex, latex, etc. - need to forbid --shell-escape, and inherit openout_any.

------------------------------------------------------------
TeX Live: texmf.cnf [May 14 2021]

% Enable system commands via \write18{...}.  When enabled fully (set to
% t), obviously insecure.  When enabled partially (set to p), only the
% commands listed in shell_escape_commands are allowed.  Although this
% is not fully secure either, it is much better, and so useful that we
% enable it for everything but bare tex.
shell_escape = p

% No spaces in this command list.
%
% The programs listed here are as safe as any we know: they either do
% not write any output files, respect openout_any, or have hard-coded
% restrictions similar to or higher than openout_any=p.  They also have
% no features to invoke arbitrary other programs, and no known
% exploitable bugs.  All to the best of our knowledge.  They also have
% practical use for being called from TeX.
%
shell_escape_commands = \
bibtex,bibtex8,\
extractbb,\
gregorio,\
kpsewhich,\
makeindex,\
repstopdf,\
r-mpost,\
texosquery-jre8,\

% we'd like to allow:
% dvips - but external commands can be executed, need at least -R1.
% epspdf, ps2pdf, pstopdf - need to respect openout_any,
%  and gs -dSAFER must be used and check for shell injection with filenames.
% pygmentize - but is the filter feature insecure?
% ps4pdf - but it calls an unrestricted latex.
% rpdfcrop - maybe ok, but let's get experience with repstopdf first.
% texindy,xindy - but is the module feature insecure?
% ulqda - but requires optional SHA1.pm, so why bother.
% tex, latex, etc. - need to forbid --shell-escape, and inherit openout_any.

------------------------------------------------------------

ut への返信

Re: restricted mode の件(お詫びと補足)

- ut の投稿

# 五月雨式となってしまい、申し訳ありません…。

こんな記録もありました:

------------------------------------------------------------
excerpt from:
ChangeLog.txt of kpathsea [Apr 23 1993 -- May 14 2021]

2018-12-30  Karl Berry  <karl@tug.org>

* texmf.cnf (shell_escape_commands): make that r-mpost.

2018-12-21  Karl Berry  <karl@freefriends.org>

* texmf.cnf (shell_escape_commands): add rmpost.

2017-04-14  Karl Berry  <karl@tug.org>

* texmf.cnf (shell_escape_commands): add texosquery-jre8.

2016-11-30  Karl Berry  <karl@ks.tug.org>

* texmf.cnf (shell_escape_commands): remove mpost, due to
the -tex option. Oops! Report from Bruno Le Floch.

2016-04-06  Karl Berry  <karl@tug.org>

* texmf.cnf (TEXMFVAR, TEXMFCONFIG): 2016.
(shell_escape_commands): add gregorio, fingers crossed.

* cnf.c (do_line): do not keep checking ISSPACE beyond
end of string.  (Can crash on lines without spaces.)
Return error string if problems.
* kpathsea_cnf_get: give warning, with line number,
        if do_line returns a message.

2015-04-12  Karl Berry  <karl@tug.org>

* texmf.cnf: update for TL'15.
(shell_escape_commands): include extractbb, fingers crossed.

2010-05-30  Karl Berry  <karl@tug.org>

* texmf.cnf (shell_escape_commands): turns out fc-list is not
needed after all.

2010-05-25  Karl Berry  <karl@tug.org>

* texmf.cnf (shell_escape_commands): include fc-list for
the luaotfload font cache.

2010-05-18  Karl Berry  <karl@tug.org>

* texmf.cnf (shell_escape): set to p. Trying restricted shells again.
(shell_escape_commands): bibtex, bibtex8,
kpsewhich, makeindex, repstopdf.  Don't plan to add anything
else for TL'10.

* NEWS,
* kpsewhich.c (read_command_line),
* texmf.cnf (TEXMFCONFIG, TEXMFVAR): 2010.

2009-10-20  Karl Berry  <karl@tug.org>

* texmf.cnf (shell_escape): doc fixes to discourage shell_escape=p.

2009-10-19  Manuel P\'egouri\'e-Gonnard <mpg@elzevir.fr>

* texmf.cnf: set shell_escape back to 'f': 'p' is broken on Unix.

2009-10-15  Manuel P\'egouri\'e-Gonnard <mpg@elzevir.fr>

* texmf.cnf (shell_escape_commands): add repstopdf, a version of
epstopdf with restrictions intended to make it safer.
Remove bibtex & makeindex for now, they don't respect openout_any.

2009-10-13  Karl Berry  <karl@tug.org>

* texmf.cnf (shell_escape_commands): remove the ps-to-pdf programs
for now, they don't respect openout_any.

2009-09-21  Karl Berry  <karl@tug.org>

* texmf.cnf (shell_escape_commands): remove pygmentize, as intended.

2009-08-15  Karl Berry  <karl@tug.org>

* texmf.cnf (shell_escape_commands): remove many more,
mail from Heiko, 14 Aug 2009 07:58:02 et al.

2009-07-23  Karl Berry  <karl@tug.org>

* mktexlsr: update help msg.

* texmf.cnf (shell_escape_commands): remove tex programs (too
dangerous?), add other indexing programs, change pdfcrop to
rpdfcrop, convert to imgconvert.

2009-04-18  Karl Berry  <karl@tug.org>

* texmf.cnf (shell_escape_commands): add fc-match, request
from Elie Roux, 17 Apr 2009 17:22:55.

2009-02-28  Karl Berry  <karl@tug.org>

* texmf.cnf (shell_escape_commands): add pstopdf and convert per
Dick Koch.

2009-02-26  Karl Berry  <karl@tug.org>

* texmf.cnf (shell_escape): set to new possibility p.
(shell_escape_commands): first cut at allow list.

------------------------------------------------------------

ut への返信

Re: restricted mode の件(お詫びと補足)

- 和田 勇 の投稿

今手元に texlive 2014 以降があるので、shell_escape で眺めると以下のようになっていて、 ut さんのレポートと一致するようですね。

    2014/texmf-dist/web2c/texmf.cnf:shell_escape_commands = bibtex,bibtex8,                   kpsewhich,makeindex,mpost,repstopdf,
    2015/texmf-dist/web2c/texmf.cnf:shell_escape_commands = bibtex,bibtex8,extractbb,         kpsewhich,makeindex,mpost,repstopdf,
    2016/texmf-dist/web2c/texmf.cnf:shell_escape_commands = bibtex,bibtex8,extractbb,gregorio,kpsewhich,makeindex,      repstopdf,        texosquery-jre8,
    2017/texmf-dist/web2c/texmf.cnf:shell_escape_commands = bibtex,bibtex8,extractbb,gregorio,kpsewhich,makeindex,      repstopdf,        texosquery-jre8,
    2018/texmf-dist/web2c/texmf.cnf:shell_escape_commands = bibtex,bibtex8,extractbb,gregorio,kpsewhich,makeindex,      repstopdf,        texosquery-jre8,
    2019/texmf-dist/web2c/texmf.cnf:shell_escape_commands = bibtex,bibtex8,extractbb,gregorio,kpsewhich,makeindex,      repstopdf,r-mpost,texosquery-jre8,
    2020/texmf-dist/web2c/texmf.cnf:shell_escape_commands = bibtex,bibtex8,extractbb,gregorio,kpsewhich,makeindex,      repstopdf,r-mpost,texosquery-jre8,
    2021/texmf-dist/web2c/texmf.cnf:shell_escape_commands = bibtex,bibtex8,extractbb,gregorio,kpsewhich,makeindex,      repstopdf,r-mpost,texosquery-jre8,