[PATCH] docs: Makefile: Add -no-shell-escape option to LATEXOPTS

[PATCH] docs: Makefile: Add -no-shell-escape option to LATEXOPTS

[Akira Yokosawa]

By adding this option, message of "restricted \write18 enabled" from
LaTeX can be silenced.

As there is no use of \write18 in LaTeX sources from sphinx-build, it
is safe to add this option.

Reported-by: Jonathan Corbet <corbet@lwn.net>
Signed-off-by: Akira Yokosawa <akiyks@gmail.com>
---
 Documentation/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Documentation/Makefile b/Documentation/Makefile
index 9f4bd42cef18..64d44c1ecad3 100644
--- a/Documentation/Makefile
+++ b/Documentation/Makefile
@@ -26,7 +26,7 @@ SPHINX_CONF   = conf.py
 PAPER         =
 BUILDDIR      = $(obj)/output
 PDFLATEX      = xelatex
-LATEXOPTS     = -interaction=batchmode
+LATEXOPTS     = -interaction=batchmode -no-shell-escape
 
 ifeq ($(KBUILD_VERBOSE),0)
 SPHINXOPTS    += "-q"

base-commit: f647de4b02dcb1815fb3019f86a001a681daf0a1
-- 
2.17.1

Re: [PATCH] docs: Makefile: Add -no-shell-escape option to LATEXOPTS

[Akira Yokosawa]

On Thu, 10 Feb 2022 10:26:53 +0900,
Akira Yokosawa wrote:
> By adding this option, message of "restricted \write18 enabled" from
> LaTeX can be silenced.
> 
> As there is no use of \write18 in LaTeX sources from sphinx-build, it
> is safe to add this option.

Jon,
JFYI, there is a ticket on the message at:

    https://tex.stackexchange.com/questions/76105/what-does-restricted-write18-enabled-mean-and-why-does-texlive-keep-reporting

I think David Carlisle's answer covers most of your concerns.

        Thanks, Akira 

> 
> Reported-by: Jonathan Corbet <corbet@lwn.net>
> Signed-off-by: Akira Yokosawa <akiyks@gmail.com>
> ---
[...]

Re: [PATCH] docs: Makefile: Add -no-shell-escape option to LATEXOPTS

[Jonathan Corbet]

Akira Yokosawa <akiyks@gmail.com> writes:

> By adding this option, message of "restricted \write18 enabled" from
> LaTeX can be silenced.
>
> As there is no use of \write18 in LaTeX sources from sphinx-build, it
> is safe to add this option.
>
> Reported-by: Jonathan Corbet <corbet@lwn.net>
> Signed-off-by: Akira Yokosawa <akiyks@gmail.com>
> ---
>  Documentation/Makefile | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/Documentation/Makefile b/Documentation/Makefile
> index 9f4bd42cef18..64d44c1ecad3 100644
> --- a/Documentation/Makefile
> +++ b/Documentation/Makefile
> @@ -26,7 +26,7 @@ SPHINX_CONF   = conf.py
>  PAPER         =
>  BUILDDIR      = $(obj)/output
>  PDFLATEX      = xelatex
> -LATEXOPTS     = -interaction=batchmode
> +LATEXOPTS     = -interaction=batchmode -no-shell-escape

Interesting.  In my digging now and back in 2016 [1] everything I found
said that \write18 had to be explicitly enabled - and for good reason.
And I could never figure out *how* we were enabling it...  It turns out
that the net misinformed me; how come nobody ever told me that could
happen? :)

Anyway, I've applied this, but I'm going to tweak the changelog a bit.
My reason for wanting this isn't to make the warning go away - it's a
*tiny* piece of the noise of a pdfdocs build.  That warning is there for
a reason; \write18 is dangerous.  We really don't want any way for
arbitrary shell commands to be executed via the docs build.  So the new
text is:

  It turns out that LaTeX enables \write18, which allows arbitrary shell
  commands to be executed from the document source, by default.  This the
  often-seen warning during a pdfdocs build:

    restricted \write18 enabled

  That is a potential security problem and is entirely unnecessary; nothing
  in the kernel PDF docs build needs that capability.  So disable \write18
  explicitly.

I think I'll add a Cc: stable while I'm at it.  I know of no actual
threat, but this is best closed.

Thanks for fixing this,

jon

[1] https://lore.kernel.org/lkml/20161113125250.779df4dd@lwn.net/

Re: [PATCH] docs: Makefile: Add -no-shell-escape option to LATEXOPTS

[Akira Yokosawa]

On Thu, 10 Feb 2022 10:51:17 -0700,
Jonathan Corbet wrote:
> Akira Yokosawa <akiyks@gmail.com> writes:
[...]
>>
>> diff --git a/Documentation/Makefile b/Documentation/Makefile
>> index 9f4bd42cef18..64d44c1ecad3 100644
>> --- a/Documentation/Makefile
>> +++ b/Documentation/Makefile
>> @@ -26,7 +26,7 @@ SPHINX_CONF   = conf.py
>>  PAPER         =
>>  BUILDDIR      = $(obj)/output
>>  PDFLATEX      = xelatex
>> -LATEXOPTS     = -interaction=batchmode
>> +LATEXOPTS     = -interaction=batchmode -no-shell-escape
> 
> Interesting.  In my digging now and back in 2016 [1] everything I found
> said that \write18 had to be explicitly enabled - and for good reason.
> And I could never figure out *how* we were enabling it...  It turns out
> that the net misinformed me; how come nobody ever told me that could
> happen? :)
> 
> Anyway, I've applied this, but I'm going to tweak the changelog a bit.
> My reason for wanting this isn't to make the warning go away - it's a
> *tiny* piece of the noise of a pdfdocs build.  That warning is there for
> a reason; \write18 is dangerous.  We really don't want any way for
> arbitrary shell commands to be executed via the docs build.  So the new
> text is:
> 
>   It turns out that LaTeX enables \write18, which allows arbitrary shell
>   commands to be executed from the document source, by default.  This the
>   often-seen warning during a pdfdocs build:
> 
>     restricted \write18 enabled
> 
>   That is a potential security problem and is entirely unnecessary; nothing
>   in the kernel PDF docs build needs that capability.  So disable \write18
>   explicitly.

I don't think the "restricted \write18 enabled" mode permits *arbitrary*
shell commands.  This is different from adding -shell-escape, rather the
default option is -shell-restricted.  In this mode, only those commands
listed by "kpsewhich -var-value=shell_escape_commands" are allowed.

In my setting, it lists:
bibtex,bibtex8,extractbb,gregorio,kpsewhich,makeindex,repstopdf,r-mpost,texosquery-jre8,

As you can see, the format of the list indicates that the restriction
concerns only the name of the command, which might be circumvented in
a clever way :-/

-no-shell-escape is expected to plug the hole, but LaTeX/TeX
implementation might have an unknown security issue.  Who knows!

> 
> I think I'll add a Cc: stable while I'm at it.  I know of no actual
> threat, but this is best closed.
> 
> Thanks for fixing this,
> 
> jon
> 
> [1] https://lore.kernel.org/lkml/20161113125250.779df4dd@lwn.net/

Thanks for the link.
This is useful in understanding the early days of Sphinx adoption.

I'm kind of worried that Linus might get another flashback seeing
my updates in LaTeX preamble.  ;-)

        Thanks, Akira

Re: [PATCH] docs: Makefile: Add -no-shell-escape option to LATEXOPTS

[Jonathan Corbet]

Akira Yokosawa <akiyks@gmail.com> writes:

> I don't think the "restricted \write18 enabled" mode permits *arbitrary*
> shell commands.  This is different from adding -shell-escape, rather the
> default option is -shell-restricted.  In this mode, only those commands
> listed by "kpsewhich -var-value=shell_escape_commands" are allowed.

Ah, OK, I stand corrected on that, thanks.  It's still worth turning
off, but it wasn't quite as bad as I'd feared.  Now that I've thoroughly
showed my ignorance I think I'll just go get busy with something
else..:)

Thanks,

jon