Discussion:
[tex-live] Security issues for restricted shell escape
Heiko Oberdiek
2009-07-17 17:28:11 UTC
Permalink
Hello,

texmf.cnf contains in current pretest:

| % Enable system commands via \write18{...}. When enabled fully (set to
| % 1), obviously insecure. When enabled partially (set to p), only the
| % commands listed in shell_escape_commands are allowed. Although this
| % is not fully secure either, it is much better, and so useful that we
| % enable it for everything but bare tex.
| shell_escape = p
|
| % No spaces in this command list.
| shell_escape_commands = \
| bibtex,convert,dvips,epstopdf,epspdf,etex,fc-match,gnuplot,\
| kpsewhich,latex,luatex,lualatex,makeindex,mpost,\
| pdfcrop,pdflatex,pdfluatex,ps2pdf,ps4pdf,pstopdf,pygmentize,\
| tex,texexec,texmfstart,ulqda\
|
| % plain TeX should remain unenhanced.
| shell_escape.tex = f

Setting "p" isn't much better than "1". The security holes are
huge. Many programs of the command list allow the execution
of arbitrary programs, examples:

* The call of "tex -shell-escape" with embedded calls to arbitrary
programs is possible; the same for the other TeX variants.
* Version 1.17 closes some security holes in pdfcrop
(using -dSAFER for ghostscript, -no-shell-escape,
and validating arguments.) However it allows the configuration
of programs that are called by the script (Ghostscript,
pdfTeX or XeTeX). At least I have forbidden backticks and
whitespace and the arguments are under the control of pdfcrop.
However there might be malicious programs that igore their
arguments ...
* ...

Yours sincerely
Heiko <oberdiek at uni-freiburg.de>
Karl Berry
2009-07-17 21:40:25 UTC
Permalink
Setting "p" isn't much better than "1".

It at least eliminates the most obvious issues, ie,
\write18{rm -rf /}

The security holes are huge.

I can't disagree, and I knew that (and pointed it out) when I
implemented it. It is a tradeoff.

* Version 1.17 closes some security holes in pdfcrop

Thanks for your efforts.
Heiko Oberdiek
2009-07-17 23:25:54 UTC
Permalink
Post by Heiko Oberdiek
Setting "p" isn't much better than "1".
It at least eliminates the most obvious issues, ie,
\write18{rm -rf /}
No, I must say. It's trivial to do this. Many programs
of the list allow this, e.g.:
* epstopdf (via pipe feature, a language extension of ghostscript)
fixable by -dSAFER and further option validation.
* etex, latex, luatex, lualatex, pdflatex, pdfluatex, tex
* texexec (at least option `--paranoid' should be mandatory)
* texmfstart
Post by Heiko Oberdiek
The security holes are huge.
I can't disagree, and I knew that (and pointed it out) when I
implemented it. It is a tradeoff.
* Version 1.17 closes some security holes in pdfcrop
Now 1.18 is on its way to CTAN. I have added a restricted mode:

| G. RESTRICTED MODE
| ==================
| Restricted mode is enabled if:
| * option `--restricted' is used,
| * the program is called under the name `rpdfcrop'
| * or the called program name contains `restricted'.
| This mode sets restrictions for the following options:
| * --pdftexcmd: if used, the value must be empty or `pdftex'.
| * --xetexcmd: if used, the value must be empty or `xetex'.
| * --gscmd: if used, the value must
| * be empty or
| * be one of the standard names (gs, gswin32c, mgs, gs386 gsos2) or
| * consists of `gs', followed by a version number and an
| optional `c' (Ghostscript's convention for `console version').

Therefore the recommendation should be also installing `rpdfcrop' and
using `rpdfcrop' instead of `pdfcrop' in the command list.
Or an automatically redirect would be helpful
\immediate\write18{pdfcrop ...} executes rpdfcrop in
restricted mode, configured by an entry in texmf.cnf:
shell_escape_commands = \
bibtex,...,pdfcrop=>rpdfcrop,...

Or an easy way for testing the existence of a program would
be nice (at TeX macro level).

Your sincerely
Heiko <oberdiek at uni-freiburg.de>

PS: BTW ulqda is broken:
| Can't locate Digest/SHA1.pm in @INC ...

SHA1.pm is missing in tlpkg/tlperl/lib/Digest/
Heiko Oberdiek
2009-07-18 06:07:34 UTC
Permalink
Post by Heiko Oberdiek
Post by Heiko Oberdiek
Setting "p" isn't much better than "1".
It at least eliminates the most obvious issues, ie,
\write18{rm -rf /}
No, I must say. It's trivial to do this. Many programs
* epstopdf (via pipe feature, a language extension of ghostscript)
fixable by -dSAFER and further option validation.
* etex, latex, luatex, lualatex, pdflatex, pdfluatex, tex
* texexec (at least option `--paranoid' should be mandatory)
* texmfstart
* gnuplot

Yours sincerely
Heiko <oberdiek at uni-freiburg.de>

Karl Berry
2009-07-17 23:58:32 UTC
Permalink
* etex, latex, luatex, lualatex, pdflatex, pdfluatex, tex
* texexec (at least option `--paranoid' should be mandatory)
* texmfstart

Perhaps the tex programs shouldn't be in the list. I'm not sure there's
any great need for them.

Therefore the recommendation should be also installing `rpdfcrop' and
using `rpdfcrop' instead of `pdfcrop' in the command list.

Ok, good.

bibtex,...,pdfcrop=>rpdfcrop,...

I don't want to introduce this complication now.

PS: BTW ulqda is broken:
| Can't locate Digest/SHA1.pm in @INC ...
SHA1.pm is missing in tlpkg/tlperl/lib/Digest/

I guess I'll just remove ulqda.
It wouldn't surprise me if other Perl scripts had other dependencies
which we do not satisfy.
Loading...