Hello Sun Managers,
I posted a summary about this topic and get remarks about some
security problems with using the "system" command.
mikem@centerline.com suggested to not use this:
system ("/usr/etc/mount_pcfs /dev/fd0 /pcfs pcfs rw,suid") ;
He proposes this:
** SOLUTION **
If you want a secure version of your program, use the 'execle' function!
It doesn't spawn an intermediate shell, and it won't pass on any trojan
environment variables. Substitute the following line for your "system"
command:
execle("/usr/etc/mount_pcfs","mount_pcfs","/dev/fd0","/pcfs","pcfs","rw",0)
Note that "mount_pcfs" appears twice; this isn't a typo. The first one is
the name of the command to invoke, the next one shows up as argv[0] in the
argument list, followed by the other arguments - device, mount point, type
of filesystem, and mount options. The zero at the end is the environment
pointer; in this case, I don't want to pass on _any_ environment variables,
so I have specified a null pointer. Check the man page for more info.
***********
Thanks to:
Mike Maciolek mikem@centerline.com
Geert Jan de Groot <GeertJan.deGroot@ripe.net>
guy@jpmorgan.com (Guy Polis)
Daniel Kakoun,
Daniel@brachot.jct.ac.il.
--
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:09:00 CDT