On 11/6/05, Lionel Elie Mamane <[EMAIL PROTECTED]> wrote: > On Sun, Nov 06, 2005 at 10:37:47AM +0200, Shachar Shemesh wrote: > >> On Sun, Nov 06, 2005 at 02:35:19AM +0200, David Harel wrote: > > > If that is the case, David, just do "system" (I prefer fork+exec - saves > > on the intermediate shell, but maybe that's just renmants of my Windows > > days talking) > > Not necessarily. You also avoid a significant source of security > problems if user input (directly or indirectly) influences in any form > or shape the arguments you give to system / fork+exec.
Not only command line arguments but also environment variables (e.g. lookup "IFS" in sh(1)). That's why system(3) and popen(3) are (or at least used to be) a no-no for suid programs and any program executed by special-privileged user (e.g. daemons). But then again - as Shachar said - if David will give more info of what he's trying to achieve (and show some hints for trying to find answers by himself) he might get much more useful answers. --Amos -- "We wanted proper outback: a place where men were men and sheep were nervous." - Bill Bryson, "Down Under" ================================================================To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
