Re: [PATCH] docs: Makefile: Add -no-shell-escape option to LATEXOPTS

From: Akira Yokosawa <akiyks@gmail.com>
To: Jonathan Corbet <corbet@lwn.net>
Cc: linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
	Akira Yokosawa <akiyks@gmail.com>
Subject: Re: [PATCH] docs: Makefile: Add -no-shell-escape option to LATEXOPTS
Date: Fri, 11 Feb 2022 11:12:54 +0900	[thread overview]
Message-ID: <52112481-29af-1f8c-b82c-3519582e9850@gmail.com> (raw)
In-Reply-To: <87zgmybofe.fsf@meer.lwn.net>

On Thu, 10 Feb 2022 10:51:17 -0700,
Jonathan Corbet wrote:
> Akira Yokosawa <akiyks@gmail.com> writes:
[...]
>>
>> diff --git a/Documentation/Makefile b/Documentation/Makefile
>> index 9f4bd42cef18..64d44c1ecad3 100644
>> --- a/Documentation/Makefile
>> +++ b/Documentation/Makefile
>> @@ -26,7 +26,7 @@ SPHINX_CONF   = conf.py
>>  PAPER         =
>>  BUILDDIR      = $(obj)/output
>>  PDFLATEX      = xelatex
>> -LATEXOPTS     = -interaction=batchmode
>> +LATEXOPTS     = -interaction=batchmode -no-shell-escape
> 
> Interesting.  In my digging now and back in 2016 [1] everything I found
> said that \write18 had to be explicitly enabled - and for good reason.
> And I could never figure out *how* we were enabling it...  It turns out
> that the net misinformed me; how come nobody ever told me that could
> happen? :)
> 
> Anyway, I've applied this, but I'm going to tweak the changelog a bit.
> My reason for wanting this isn't to make the warning go away - it's a
> *tiny* piece of the noise of a pdfdocs build.  That warning is there for
> a reason; \write18 is dangerous.  We really don't want any way for
> arbitrary shell commands to be executed via the docs build.  So the new
> text is:
> 
>   It turns out that LaTeX enables \write18, which allows arbitrary shell
>   commands to be executed from the document source, by default.  This the
>   often-seen warning during a pdfdocs build:
> 
>     restricted \write18 enabled
> 
>   That is a potential security problem and is entirely unnecessary; nothing
>   in the kernel PDF docs build needs that capability.  So disable \write18
>   explicitly.

I don't think the "restricted \write18 enabled" mode permits *arbitrary*
shell commands.  This is different from adding -shell-escape, rather the
default option is -shell-restricted.  In this mode, only those commands
listed by "kpsewhich -var-value=shell_escape_commands" are allowed.

In my setting, it lists:
bibtex,bibtex8,extractbb,gregorio,kpsewhich,makeindex,repstopdf,r-mpost,texosquery-jre8,

As you can see, the format of the list indicates that the restriction
concerns only the name of the command, which might be circumvented in
a clever way :-/

-no-shell-escape is expected to plug the hole, but LaTeX/TeX
implementation might have an unknown security issue.  Who knows!

> 
> I think I'll add a Cc: stable while I'm at it.  I know of no actual
> threat, but this is best closed.
> 
> Thanks for fixing this,
> 
> jon
> 
> [1] https://lore.kernel.org/lkml/20161113125250.779df4dd@lwn.net/

Thanks for the link.
This is useful in understanding the early days of Sphinx adoption.

I'm kind of worried that Linus might get another flashback seeing
my updates in LaTeX preamble.  ;-)

        Thanks, Akira