On Fri, Oct 17, 2008 at 8:55 PM, Jonathon Kuo <[EMAIL PROTECTED]> wrote: > > On Oct 17, 2008, at 5:33 PM, Michael Ash wrote: > >> And most important of all (I think), it almost always opens a security >> hole. >> >> This case is a great example. The system() call as posted uses "rm" as >> the command. This in turn relies on the $PATH to hand over the correct >> rm. It is probably feasible, maybe not even very hard, to ensure that >> this person's application gets launched with a custom-crafted $PATH. >> Make the first entry in $PATH be a special directory containing an >> executable script called "rm" that spawns a root shell and makes it >> listen on a certain TCP port and, bam, you've just been compromised. > >> Certainly there are a lot of ways to write security vulnerabilities. >> But most of the time they happen because you make a mistake. System() >> is insecure *by default*, and takes special effort and attention to >> make it not be insecure. Much better is to simply not use it in the >> first place, as no good can possibly come of it. > > If the coder doesn't take care to use fully qualified pathnames like > /bin/rm, etc., then it opens the door to security issues. That's not an > inherent problem with system(), per se, but the coder. Wouldn't > fork()/exec() and NSTask also suffer from this same issue?
Actually, I'm pretty sure NSTask does not respect $PATH. The documentation doesn't say, but I'm pretty sure it doesn't, since it has no reason to. Fork()/exec() will only use $PATH if you use the "p" variants of the functions. And as the doctor said to his patient, "well, don't do that". The non-p variants will not examine $PATH at all. It is trivial to write code using NSTask or fork()/exec() that can safely call rm to delete a file. It's foolish to do for non-security reasons, but the code will at least be *safe*. Doing the same with system() takes much more attention, especially if anything you're doing requires variable arguments. The problems with system() are all rooted in the fact that it interprets the command using a shell. Searching $PATH, variable expansion, and special characters can all sink you. Using an API which doesn't use a shell gets rid of the latter two, and using an API which also doesn't search $PATH gets rid of all three. There are certainly other ways to write insecure code, but at least you won't be using a call which is insecure by default. Mike _______________________________________________ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to [EMAIL PROTECTED]
