SPUG: exec question

Ben Reser ben at reser.org
Fri Feb 11 11:39:49 PST 2005 

On Fri, Feb 11, 2005 at 10:54:43AM -0800, Tim Maher wrote:
> Regarding the difference in interpretation between the single-argument
> vs. multi-argument version of system, in the example I showed,
> metacharacter interpretation was /desired/, which is precisely why
> I showed the single-argument version.
> 
> The metacharacters that needed interpretation included the ">"
> for output redirection, which I thought the original poster might
> need, and the "&" for background execution, which he definitely
> needs if he wants his script not to wait for the shell command to
> exit before continuing (unless he wants to do the fork/exec himself).

I perfectly understood why you did what you did.  Using the shell for
that is completely wrong IMHO.  It is unnecessary to achieve the desired
result and opens you up to security issues.  The little bit of effort to
code a fork/exec is offset by simply not having to worry about shell
meta-characters.

Additionally, he seemed to not want any extra processes hanging around.
Your use of the shell just trade a perl script for a shell.  Sure the
shell is smaller, but you're ultimately not giving him what he wanted.

> Your statement "don't ever do stuff like what Tim showed you" is
> really uncalled for, and may discourage people from using
> features that can benefit them!

No I'm discouraging people from using features that I see create
security problems over and over and over again.  What usually happens is
someone uses such a feature understanding (or maybe not) the security
implications.  They know they aren't passing any arguments along and
don't bother to include quoting.  Then someone else comes along and adds
an argument to be passed along from some external output...  They didn't
realize the implication and have now just introduced a vulnerability.

One simple way to avoid this is to do the fork yourself and use exec.
Sure it takes a few more minutes to code but it's long term much safer.

For those wanting to see how to do it with fork/exec see:
http://www.perl.com/doc/manual/html/pod/perlfunc/fork.html

However, I still don't think that's what he really wanted.  I think he
actually wanted just exec and was possibly confused about how it worked.

> There's no need to be afraid of the shell if you take appropriate
> precautions, which comes down to quoting funny characters that you
> want taken literally.
> 
> See http://www.TeachMeUnix.com/quoting.html for a detailed
> discussion of the proper use of shell quoting techniques.

Yeah and you:

a) Didn't mention that.

b) Many people don't bother to use these techniques.

-- 
Ben Reser <ben at reser.org>
http://ben.reser.org

"Conscience is the inner voice which warns us somebody may be looking."
- H.L. Mencken

More information about the spug-list mailing list