On Wed, Feb 16, 2011 at 6:10 PM, GSO <gso...@yahoo.co.uk> wrote:
>> pretty much better off with sudo, or a tiny C wrapper that's so simple
>> it's hard to get wrong. However, perl's taint feature would be useful
>
> This snippet is about as tiny as it gets in C I think:
Well, it could be tinier really, and actually, this isn't that bad.
> #include <unistd.h>
>
> int main (int argc, char ** argv) {
> int err;
>
> char *newenv[] = { NULL };
>
> if ((err = execle("/usr/bin/pauseme", "pauseme", NULL, newenv)) < 0 ) {
> exit(err);
> }
>
> return 0; // never reached!
> }
>
> http://linuxgazette.net/67/tag/20.html
>
> But even this is considered to be risky.
Some people just like to make security sound impossible; they think it
makes them look smarter or something. Then again, this is Linux
Gazette, which usually caters to relative Linux novices, so maybe such
stern warnings are appropriate (for a while - sometimes novices don't
stay novices forever).
If you empty the environment, don't spawn a subshell, don't scan the
path, avoid reading or writing undefined memory, and carefully check
your error returns, you're generally in good shape with something as
simple as a wrapper. Yes, simple.
The signal vulnerability thing appears to be mostly about exploiting
overcomplicated signal handlers in the child process (EG, don't use
any system calls in signal handlers - not to be confused with
system(3)), and the file descriptor thing ISTR is mostly an issue when
someone calls open() without correctly checking for an error return -
but something like Python would typically traceback - it wouldn't just
pretend things were fine.
However, if you still think C wrappers are too complex, I believe
there's nothing stopping _you_ from using sudo.
--
http://mail.python.org/mailman/listinfo/python-list
