Sumanth Naropanth writes: > James Carlson wrote on 10/28/08 18:02: > > This is sort of a direct way of asking a more fundamental question: > > what's the usage case? > > > > Places where system(3C) lead to security bugs such as 6472377 (and > related bug 6473508), 6438834, portions of 6754889, an older 4897594 and > a more recent 6751653.
OK; thanks. Those are the sort of references I was looking for -- at least a few non-trivial cases where system() was used, but shell semantics weren't expected. I exected there to be a fair number that couldn't be covered because they contain shell meta characters of some sort. > style with relative pathnames and user inputs. Several of these don't > use any shell meta-characters and don't required the shell. Recent bugs > like 6751653 show that newer code in the future may introduce unsafe > usages of system(3C) and those could be easily fixed via exec_system() > instead of a more elaborate fork()/exec()/waitpid() way. In that case, +1. One nit, though: I don't like the name exec_system(). "Exec" isn't the defining characteristic -- and you've said you're not even going to use exec(2) anyway, but rather posix_spawn(3C) instead. The defining characteristic of the interface is that, unlike system(3C), you don't implicitly invoke the shell. I think the name should reflect that. system_noshell(3C) or just simply noshell(3C) seem like better names. But just a nit; I don't really care what you call it. -- James Carlson, Solaris Networking <james.d.carlson at sun.com> Sun Microsystems / 35 Network Drive 71.232W Vox +1 781 442 2084 MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677
