|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] unix cp function call (thanks)
|
On Fri, Jun 14, 2002 at 04:31:00PM -0400, Bill Jonas wrote:
> On Fri, Jun 14, 2002 at 04:26:56PM -0400, Walt Mankowski wrote:
> > Or you can call system(3).
>
> Oh, right, there's that too, which is nicer and takes care of all that
> for you. Can you tell I don't really do C all that much? ;-)
someone correct me if I'm wrong, but I think there might be some security
implications of using system(3). I'm not sure how important it is
in your specific case, but I believe system passes the environment on to
an equivalent of '/bin/sh -c command'. if this were to be done in a program
that might later be made setuid/setgid root, a malicious user could
do things like chrooting and re-arranging his/her path so that "cp"
pointed to a script in his/her homedir that did something like 'dd
if=/dev/random of=/dev/hd?'.
i'd check the manpage for system(3) and exec(3) fmi if that's a concern
--sean
______________________________________________________________________
Philadelphia Linux Users Group - http://www.phillylinux.org
Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce
General Discussion - http://lists.phillylinux.org/mail/listinfo/plug
|
|