Return-Path: Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) by h2774747.stratoserver.net (8.15.2/8.15.2/Debian-3) with ESMTP id w7OKJVjC000969 for ; Fri, 24 Aug 2018 22:19:32 +0200 Received: from relay2.uni-heidelberg.de ([129.206.119.212]) by mx-ha.gmx.net (mxgmx015 [212.227.15.9]) with ESMTPS (Nemesis) id 1MpENh-1fbXo91fjz-00qRCZ for ; Fri, 24 Aug 2018 22:19:26 +0200 Received: from listserv.uni-heidelberg.de (listserv.uni-heidelberg.de [129.206.100.94]) by relay2.uni-heidelberg.de (8.15.2/8.15.2) with ESMTP id w7OKJQS6020467; Fri, 24 Aug 2018 22:19:26 +0200 Received: from listserv (localhost [127.0.0.1]) by listserv.uni-heidelberg.de (Postfix) with ESMTP id 6ADC01275F1; Fri, 24 Aug 2018 22:19:24 +0200 (CEST) Received: by LISTSERV.UNI-HEIDELBERG.DE (LISTSERV-TCP/IP release 16.0) with spool id 29077516 for LATEX-L@LISTSERV.UNI-HEIDELBERG.DE; Fri, 24 Aug 2018 22:19:24 +0200 Delivered-To: LATEX-L@listserv.uni-heidelberg.de Received: from relay2.uni-heidelberg.de (relay2.uni-heidelberg.de [129.206.119.212]) by listserv.uni-heidelberg.de (Postfix) with ESMTP id 4B3EB1238CF for ; Fri, 24 Aug 2018 22:19:24 +0200 (CEST) Received: from mail-wm0-f52.google.com (mail-wm0-f52.google.com [74.125.82.52]) by relay2.uni-heidelberg.de (8.15.2/8.15.2) with ESMTPS id w7OKJHi9020440 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=FAIL) for ; Fri, 24 Aug 2018 22:19:20 +0200 Received: by mail-wm0-f52.google.com with SMTP id y2-v6so2649752wma.1 for ; Fri, 24 Aug 2018 13:19:20 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=T6XlzS0tK6O2GxCOwX+k6SrQv0dFAJ4OQhykw7BhBwk=; b=TsnlTRi+ZGd+bWcpVyg7Y+Duk4Fe7sE5wMTYRYaNDsQoLPXiNpnAw8chNEFaumuVLQ X1RaZws3klUmkIygHuKElxkI5YyalEnXChDH4DkPJKyZZbIDrxCJk47S8RhYl9KKjbV3 dRIN7iT5ZjKruBCsrzAQ5B4Wz08pa5TSjdLwHQfCjXpoExn7vVBYhQ1aucJRfcsl9Bcj atCsWP6mQPD3tIKIVRD07FVZ5q5GjjqyyVBuVJHtIQHM9a0300bKk0mvrD9nRGnxEMrQ hI+i1f/UU275HDAZe2PNfuZ92eYNecFvyQjXCvIPeawKEvMrc1hjM5Wd4t+7eJthax/2 1Lhg== X-Gm-Message-State: APzg51Dh5/iahnL1POStneivgF7G3pofIX4Ca1MuXmoRLXpo7BigZwq2 O5jhB8HKbL0Q1VJlxHjIZJwCnKlmWQ8= X-Google-Smtp-Source: ANB0VdYneU/wiGttg0dgapgCgKRjX76RcxZG3B3QHvKH5a18Hm3QIzGkDa5gJ+aA4LqgHio793oyKA== X-Received: by 2002:a7b:c017:: with SMTP id c23-v6mr2399456wmb.136.1535141956743; Fri, 24 Aug 2018 13:19:16 -0700 (PDT) Received: from [192.168.120.136] ([85.133.27.15]) by smtp.gmail.com with ESMTPSA id w18-v6sm19731052wrc.38.2018.08.24.13.19.13 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 24 Aug 2018 13:19:16 -0700 (PDT) References: <7aac3298-e217-7dfe-6787-ad1b69f43fc4@morningstar2.co.uk> <44b7823e-d23a-6662-d777-f3b30ac4b2b5@morningstar2.co.uk> User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-GB Content-Transfer-Encoding: 7bit Message-ID: Date: Fri, 24 Aug 2018 21:19:12 +0100 Reply-To: Mailing list for the LaTeX3 project Sender: Mailing list for the LaTeX3 project From: Joseph Wright Subject: Re: System shell functions To: LATEX-L@LISTSERV.UNI-HEIDELBERG.DE In-Reply-To: Precedence: list List-Help: , List-Unsubscribe: List-Subscribe: List-Owner: List-Archive: Envelope-To: X-GMX-Antispam: 0 (Mail was not recognized as spam); Detail=V3; X-UI-Filterresults: notjunk:1;V01:K0:O16iaM84l4U=:XbpWdJ0LptnxbKQQbyqjwUfACT wy3Y//n+EejG8AlaK28KnhDj5WextIHbvN3reP2V9qDe6hm1DFAc2tONUmzc9sBHk96X+qcS2 ORPSlnINZvwX4zmx6pegaHuHnYNMjRzSSSjwLzXdSSQiY3zoco1m+SPstwkWx1fpMRhow/3ys FhLhvzIz5P8bnS1Hr0RMSpc8ApG3m/pReKN6VMenAnHHpOiwTfPCCKZ82o1s2NmoCjhVm+Jpx iaow2H2wAvwj70IuP16vyI4vP707pMcnAG0FrVglFW6MMynCX9C577FeS6a6z/AzL97B1FAOf r1vUe74fih6zuZgfq7gksbf4+gmMusH80ZKayBdc8Weng6LxPJIc3eKLsXPF6P1jrUe06ocan P/uYTyRGN8Fi1JUNMccpxXCZO16ZSzaOOzzB7hWiJroY4oNN0IvDwmJaAeWQm7pPYjB9Gbwc0 QORWVASDTNoXdT7wm4ysFHb6tBFPth6sPgmx1EtTMQSwVE5x7/331a+FzyQgrY+N6+Kc0Q6N6 3hmxI0q6ZEJTajngmTO9gcrYkKHtBH1+XoTvdnr1uPYe6xwvEvXKuI61X2RZopEVtRFP/Zunt q1BErhYPyFGucNR+EcgwPQEowshAzxmgbgXOUo2NX/R8zKL7O6gkDLGuyTivVN2Z8WuFqBfeP Y9ExPdeU6T68RGdLdJwhMWlxSGAr9m2LqSDc5Zr8YiAtj0tLdWNy8Hl0JrvJGLvsNSA/whjI9 x0c94wuxzDbT24zkClC9hpjHS0pYcDizgIGbXnu/jMyu0pestNSqG4VgpSom0IHFENoOZQ3CO gv9PbwAztJ1LfumT1TSuoNvqaVG34++cVh0tJlTo/sx6uVUms8C9Laxt/FXUfKgk+0uaVl1Nf aF9Q5luoJcMstB4M0b31/rrB/Q1P6Qd1N0bOq8K/cT/eNLVQMUGV1SobryYAzgttsHwDiRtw5 GmtMmCsF9IWWEWyArZOc3lQLa9mCOEvaqG2q7NI1FP1mH6u1qKRkKtvvNv9M3iJq+7ORKRWm7 gaHV/gb8kv2P8gMukUynli3XHOqfY3fkF5nYBA1by6MggqrUVDj+EsFaJNaugs9t/21/EjzUr SwlUbV0I4X7mzr1N+pE1JiajJF6Gt/5DS4IwbgeXkwJC50dd4Nq8zXgQqwB+JmdYkSlH9Gwoj dkemrqalBW6D/FcjcHMPp6FsCXv1oQExH5HwUkrX6S0bCd3GeRSDKQSVvd+SMAVkiUq6GaCsO AdZHWztl8yZE7nq2wIr5Pfbd6piHRnFosQ2JVVfykNO8CSEwfOYkgegFoklnngnv7cYkfS5Wd 2lHVGiAgzN0jzLo4S/4W/Mh+ykxpObvLBK9UdyqVF52pjQzg1tPUXFrZYU9SCJLF4eye5SkSb p/DPSj0T10McyPQyh1VSXZzwgYuUZ132yPijRRuN7MahwVVrhbPUvZcpv3XIu0RhnRD177tjb ze58VMta1JY1mx6CIxUm5YeCJwCVLFWWy9aQvwlKJcfIAlonDsw8+FXQvm4PftVoQzB7JtKe3 sDxfDPWlPLfA795beRyyeLx7JsalgLtLwDFyvgaGTpvxD90aN7gxmnZ694bTQuJUIM6yDDgsf Q4GI2RrY+iWvL0eRaniVHQ3QqlLIHL+kV6ccR1pzo/pU5H3CsNrvQRdkfu3cF0/aXEQOXFqDe hDHliukHOJ+xQPSL+FOjwyhjzFzPel/qA2Yv53m41s72Yw9F9XMHmChEJ+JG9+aZpQF4mMzQN RYArnJ9GN+ceQAzXn4TX5sqmywcO5f/QKzgabZ6HkhgbPVKqk0BxVKCYwLmzFmd1tGq23epmW 3vlezVupHnkak2HnMfpsZoRb2qnse0NGYoSVA9dI4LgUV6s1zTc301u9Ai+736GJofLMilpdY jmZfVPYJerh/RYmIfbemIHjKgr3KF4FuKf0lne/2QeoHyClpnZ1u3/9pAh6KZt3rdt2xHnv9V wRYu6CjTi3bQlwQPNuFS8kzQQuJX4jTANPJWx9eD9cx7N2uYTs9 X-UI-Loop:V01:zvqnLhIiKj0=:Bf6We04OrruOqErkyHY6BHQcxKF3/Ezsr1dskZPhpF8= X-UI-Out-Filterresults: notjunk:1;V01:K0:DcHFbFNCaLw=:eB80LyR6/q3EAKpxN1HbAy vBAJjjv/AgqcxnXwt21KOlgeTUlQP87Eow/d8vdoWZOwUcyY8m517w3le1zTm9DdYki+dJlmy xiSVExha56iC6YpCKC2pmdnm3+bbfwqWiBnIyMmgQ6BSecBs7pd6mHqTr5s1xbeitOJRsrdHI 3Q4F5efiOYkVoembbzLRH14x+UUQUC0pX+hlXlOShwhWANhvkvuGQG/5eHUcztkUFMEp5FOlI kMXZjV1kTY9O9HR1reEt1Fr1oPCARbP2iTxHZm+sXGO6GnBhTboEqyp/0S8m/CeDBdm0Pn16w VuU5/PBUrhJkHGRKF0DAC4FIBDVIWnvSgVTlITVjDPHIc6Eyb17Idv5puThiwTy5lP+0DjkaU vzyISbE6yG81wGHFHw6pS9qZi1I6S4Gs9XhzRabmilCu/xOaFkDRQtMZl3oIZFWe4hflQ8z7z VXl99zQ/ZElZfASDksoAp9TDGyvo5Q8= X-Scanned-By: MIMEDefang 2.78 on 81.169.212.23 Status: R X-Status: X-Keywords: X-UID: 8066 Hello Jonathan, Just to emphasise again that the team's code is working at the macro layer, and that the facilities for shell escape are controlled by the engines: as such the TeX Live list may be a better place to discuss some of this. That said, I'll cover what I understand in this area. (The cautious user will of course have shell escape entirely disabled.) >> Once one allows unrestricted shell escape, all bets are off in terms of > what >> an arbitrary package can do. > > Your implication is that "restricted shell escape" both > > 1. reduces what an arbitrary package can do > 2. improves security > > Please provide some evidence for (1), by for example providing references > to the source code and tests. The point is that *restricted* shell escape only allows a pre-defined list of commands to be executed. As such, there is no possibility of calling, from within the TeX run, commands which have not been pre-authorised. As I understand it, the idea of providing restricted shell escape is that it gives the user some option between 'nothing at all' and 'complete access to the system'. In my stock TeX Live 2018 set up, texmf.cnf has the following to say on restricted shell escape commands % The programs listed here are as safe as any we know: they either do % not write any output files, respect openout_any, or have hard-coded % restrictions similar to or higher than openout_any=p. They also have % no features to invoke arbitrary other programs, and no known % exploitable bugs. All to the best of our knowledge. They also have % practical use for being called from TeX. % shell_escape_commands = \ bibtex,bibtex8,\ extractbb,\ gregorio,\ kpsewhich,\ makeindex,\ repstopdf,\ texosquery-jre8,\ % we'd like to allow: % dvips - but external commands can be executed, need at least -R1. % epspdf, ps2pdf, pstopdf - need to respect openout_any, % and gs -dSAFER must be used and check for shell injection with filenames. % pygmentize - but is the filter feature insecure? % ps4pdf - but it calls an unrestricted latex. % rpdfcrop - maybe ok, but let's get experience with repstopdf first. % texindy,xindy - but is the module feature insecure? % ulqda - but requires optional SHA1.pm, so why bother. % tex, latex, etc. - need to forbid --shell-escape, and inherit openout_any. I know there have been discussions on the TL list about those commands in the 'allowed' list: it's certainly outside my area-of-expertise to comment on them in this regard. > By the way, the usual meaning of "restricted shell escape" is as in > https://en.wikipedia.org/wiki/Restricted_shell. This page tell us: The > restricted shell is not secure. > > The TeX/LaTeX community has a different meaning for "restricted shell > escape". As you are using the term in this new way, please would you > provide a definition. As I say, it's the list of commands that can be called which is itself restricted. Again, I leave it others to detail whether a shell program is actually called at all here (sh or cmd.exe), or if a system call is made to run the requested command. > Please also would you discuss: > http://tex-live.tug.narkive.com/1iD2CkdT/security-issues-for-restricted-shell-escape I note that this is from the early days of implementing a restricted version of shell escape. As quoted above, current texmf.cnf excludes many commands that are on the list in that thread. All of this is somewhat moot for the question-at-hand: operations such as 'copy a file' or 'remove a file' will only ever be available when shell escape is unrestricted. The question then is what, if any, wrappers to provide to users who have decided to allow such calls. Joseph