On 10/28/08, Roland Mainz <roland.mainz at nrubsig.org> wrote: > Sumanth Naropanth wrote: > [CC:'ing shell-discuss at opensolaris.org to get some feedback from the > experts there] > > Here is a proposal for a small project that aims to deliver a secure C > > library function as an alternative to the system(3C) function. Please > > share your thoughts and comments. > > > > Regards, > > Sumanth > > > > ---------------------------------------------------------------------- > > Proposal: > > > > The system(3C) C library function invokes the shell to execute the > > argument string supplied to it. This function is frequently used to > > execute a file when it is not necessary to invoke the shell at all. > > Searching through the OpenSolaris source files for the usage of the > > system() function produces over 200 hits, a large number of which are > > just binary executions which should rather be done in a safer way using > > the exec(2) family of system calls. > > > > The system(3C) function subjects the execution of the file/command to be > > affected by the PATH, IFS and other environmental variables. Special > > characters may be intentionally injected in cases where system() is > > called on unsanitized user input, causing system() to execute arbitrary > > commands. The Sun Bugtraq database lists several security bugs that > > can be root-caused to poor usage of the system(3C) function. Developers > > usually prefer to use the system() function over > > fork()/exec()/wait() due to its simple semantics. > > > > This project aims to provide a new public interface called the > > 'exec_system()'. This function will be implemented to provide the same > > ease of use as the system(3C), by defining a single (const char *) > > argument. The implementation will be a wrapper around the > > posix_spawn(3C)/waitpid(3C) functions. This interface will provide > > greater security in comparison with the system() function by avoiding > > shell invocation. Quoted arguments will be supported by using a new > > macro called 'ES_QUOTE', which will be defined as: > > > > #define ES_QUOTE '\377%s\377' > > > > The special character '\377' is chosen since it lies outside the > > printable character set. This quoting mechanism will make it harder for > > arbitrarily quoted user inputs to cause execution of unintended code.
Do we have April 1st today? mmmh, guess we don't, eh? The author missed the 1st grade IT class then. You can't pick arbitrary a character, declare it "special" and use it for your quoting. This is not how Unix works. A user must be able to escape the quote character itself. Knut
