Why is system() insecure?
From the Debian system() man page:
Quote:
#1. What do they mean by "strangle values for some environment variables". Suppose I have this: system("/bin/ls"). Why would this be insecure? I thought it might be because of a malformed IFS + PATH variable, i.e.: Code:
/* We have the SUID-root `insecure` binary which makes a call to system() at some point, exact call being: system("/bin/ls") */ -- I think I might as well extend this a bit: where can I read about generally insecure functions (the above mentioned man page seems to also disconsider execlp and execvp, but yet again I do not know why) -- why they are insecure, and the recommended alternatives? [Note to any eventual moderators reading: I'm not sure this doesn't belong to Programming, if you consider it does, please *do* move it as my interest is for the thread to get the appropriate exposure, thank you, and sorry for any eventual trouble.] |
Linux ignores suid and guid in scripts to avoid a race condition vulnerability.
Quote:
The most basic reason for using exec() instead of system() is that the exec() has an argument requiring the path. system() simply calls /bin/sh with the argument you supplied. Exec() also allows controlling the environment variables. |
Quote:
Even if this were the case, my modifying IFS and PATH I'd still have to be able to "trick" `insecure` into executing "bin" with the argument "ls", even if the SUID bit is honoured or not. Ok, let me just make a really practical example: Code:
$ cat insecure.c |
There's a diff between
1. IFS (cmd PARAM separation) 2. path delimiters eg '/' 3. cmd delimiters ie ';' given this is Linux, why don't you just <quote>use the source Luke<unquote> (ie read the src code of the 'cmds/progs' you want to understand). |
Since my quest is to understand why the C system() call is insecure, I'm not sure what source I should read. Please be so kind as to tell me.
Also, I'm not sure what you mean with the "There's a diff between PARAM sep. and PATH delimiters". If I set "/" to delimit parameters, why would "/bin/ls" still be considered "program ls in directory bin" instead of "program bin with argument ls"? /bin/ls : <PARAM SEPARATOR>bin<PARAM SEPARATOR>ls |
Re your 2nd qn: if you read the src code for the shell, you'll find out what you want to know, but in short I believe you'll find that the three concepts/delimiters I defined are treated SEPARATELY and differently. IOW, you cannot use IFS to affect the other 2.
HTH Re qn 1. I expect the system() insecure thing is to do with passing params (possibly user supplied) to a shell which will then interpret them ie http://www.owasp.org/index.php/Command_Injection |
All times are GMT -5. The time now is 03:24 AM. |