Subject: Re: system(3) caveat
To: None <>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
List: tech-userlevel
Date: 05/11/2006 10:01:11
>    in system(3) it says

>      Never supply the system() function with a command containing any part of
>      an unsanitized user-supplied string.  Shell meta-characters present will
>      be honored by the sh(1) command interpreter.

> and I'm wondering if 'Never' means 'NEVER!', or if its ok to do that
> in my case, which is that I'm providing a user program that will act
> on an event by running a command that the user provides..

Provided all you pass to system() is the user-provided string, you
should be OK.  The warning is against things like
	sprintf(cmd,"telnet %s",user_provided_hostname);
without first verifying that user_provided_hostname is free of shell

> The command is not a suid program, is there a particular security
> issue I should be aware of?

The only one that comes to mind is that this allows the user to run
arbitrary shell commands.  This is not normally a risk, but if this
gets used in an environment where some users have restricted shells
that allow them to execute only certain commands, it could open up a
way for them to bypass that restriction.

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B