On Sun, 3 Feb 2008 21:55:18 -0500, Axton wrote: >Some more digging revealed the following: > >http://www.opengroup.org/onlinepubs/009695399/functions/popen.html > >The *popen*() function should not be used by programs that have set user (or >group) ID privileges. The >*fork*()<http://www.opengroup.org/onlinepubs/009695399/functions/fork.html>and >*exec ><http://www.opengroup.org/onlinepubs/009695399/functions/exec.html>*family >of functions (except >*execlp*()<http://www.opengroup.org/onlinepubs/009695399/functions/execlp.html>and >*execvp*()<http://www.opengroup.org/onlinepubs/009695399/functions/execvp.html>), >should be used instead. This prevents any unforeseen manipulation of the >environment of the user that could cause execution of commands not >anticipated by the calling program.
Basically all that says is whatever is run under popen runs as the caller. In this case ARS, which should not have those privileges - and if they are running as root they deserve all they get :-) Calling something that uses popen from ARS is no better or worse than invoking any other command with a run process. -- Regards Dave Saville _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are"
