[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]

RE: script timer

Subject: RE: script timer
From: LENGARD Pascal OCISI <pascal.lengard@xxxxxxxxxxxxxxxx>
Date: Wed, 11 Aug 1999 08:52:07 +0200

just my 2c
>
>      Hi Binand,
>
>      I totally agree with you that for any program that
> involves security
>      issues, and runs with suid/ sgid bits set, should never
> make system()
> calls.
>      system() infact always invokes /bin/sh -c string (refer
> man). So even
>      if the PATH variable does not contain /usr/local/bin,
> you can invoke a
>      program using /usr/local/bin/my_prog, I think that will expand to
>      ** /bin/sh -c /usr/local/bin/my_prog **
>      /bin/sh is generally a link to /usr/bin/some_sh, so
> system() call does
>      not check if it is present. If the call fails it returns 127.
>      So, the PATH variable doesn't really matter.

That is not the only problem, try playing around with IFS shell variable   
for example...
LOTS of security holes are taking advantages of this. If security is a   
problem,
this is simply a no go: Lots of crackers smarter than i am may use this   
weak point
to gain root access so no need to argue. Just Don't use.

> exec() calls also need
>      the total path.

Yes but excec() does not use all the environement variables that one can   
use to change a /bin/sh behaviour

>      PS1> As always **no offence**
just the same...

>
>
>      Suvendra
pascal  
- --------------------------------------------------------------------
For more information on Linux in India visit http://www.linux-india.org/
The Linux India mailing list does not accept postings in HTML format.

------------------------------

Prev by Subject: RE: script timer
Next by Subject: Re: script timer
Previous by thread: RE: script timer
Next by thread: Re: script timer
Index(es):
- Subject
- Thread