LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > Programming
User Name
Password
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.

Notices


Reply
  Search this Thread
Old 08-05-2020, 02:56 PM   #16
mina86
Member
 
Registered: Aug 2008
Distribution: Debian
Posts: 517

Rep: Reputation: 228Reputation: 228Reputation: 228

Quote:
Originally Posted by dminican_slax View Post
I feel like I have to reply to everyone but that'd make the thread too long.
Just post a new version of your code I suppose.

Quote:
Originally Posted by dminican_slax View Post
I don't know a lot about system() and it's security implications,
The main security implications aren’t necessarily in the way you’re using system. You’re passing a string literals so some of the problems are addressed. Security issues manifest themselves mostly when you try to craft a string or take it from the user and execute that. For example:
Code:
#include <stdlib.h>
#include <stdio.h>

int main(int argc, char**argv) {
	char cmd[1024];
	snprintf(cmd, sizeof cmd,
		 "/bin/echo 'Hello, %s'",
		 argc < 2 ? "World" : argv[1]);
	system(cmd);
	return 0;
}
Code:
$ ./a 
Hello, World
$ ./a 'Jane Doe'
Hello, Jane Doe
$ ./a "Foo'; echo Executing evil command'"
Hello, Foo
Executing evil command
This particular issue can be fixed by using exec* which lets you pass arguments to the command directly (but remember that exec essentially ‘terminates’ process that calls the method so it’s not a drop-in replacement for system; to do what system does, the process first need to fork):
Code:
#include <stdio.h>
#include <unistd.h>

int main(int argc, char**argv) {
	char greeting[1024];
	snprintf(greeting, sizeof greeting,
		 "Hello, %s", argc < 2 ? "World" : argv[1]);
	execl("/bin/echo", "/bin/echo", greeting, (char*)0);
	return 1;
}
Code:
$ ./a "Foo'; echo executing evil command'"
Hello, Foo'; echo executing evil command'
There are some other attack vectors; not all of them are addressed by exec* functions. There are also of course some performance considerations which make system undesirable.

In your code one other issue is that you’re not quoting variables in the system commands, e.g. you should be using system("echo \"$SHELL\""); and same for other commands which print environment variables.

Speaking of environment variables though, there’s a getenv function which returns value of an environment variable if it’s set so you might prefer using that to system.

Last edited by mina86; 08-07-2020 at 03:46 AM. Reason: add missing \ in front of "
 
Old 08-06-2020, 07:48 AM   #17
SoftSprocket
Member
 
Registered: Nov 2014
Posts: 324

Rep: Reputation: Disabled
Quote:
Originally Posted by dminican_slax View Post
Guys thanks for your answers, as I said I was just trying to practice the use of system() this code is the version 4 of it I'll check on it and see if I can implement some of the things you've suggested. I feel like I have to reply to everyone but that'd make the thread too long. I don't know a lot about system() and it's security implications, I'm just a noob with a kinda complex hobby.









Greetings,
dminican_slax
It's important to check return values, where they exist. You could read up on system (man 3 system) and implement some error checking.
 
Old 09-02-2020, 02:27 AM   #18
Fat_Elvis
Member
 
Registered: Oct 2016
Distribution: FreeDOS 1.2
Posts: 299

Rep: Reputation: 90
I would agree that this kind of program would work better in a simpler environment such as Bash. I believe that was a big part of the Unix mindset from the beginning: several small programs relying on one another.

Since you are calling many external programs, there is no real advantage to be using C for this purpose.

If you want something a bit fancier with menus and such, you could use something like Perl, or write only the graphical/menu part in C. You could use the ncurses library for this purpose, but it is not that hard to do by hand.

There are some great tutorials for writing text-mode programs in C. Here's one: https://viewsourcecode.org/snaptoken/kilo/

For an introduction to the C language (with some pretty tough exercises), an excellent place to start is the Kernighan & Ritchie book.

Last edited by Fat_Elvis; 09-02-2020 at 02:44 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Firefox for iOS Offers New and Improved Browsing Experience with Tabs, Night Mode and QR Code Reader LXer Syndicated Linux News 0 07-21-2017 05:12 AM
LXer: Linux Multi-Monitor Support Could Be Improved LXer Syndicated Linux News 0 09-09-2012 05:00 AM
what are your views and experiences with pup and how could it be improved? jonyo Puppy 6 11-27-2011 09:14 PM
[SOLVED] I improved my bash script: could be better though... jtwdyp Linux - General 4 04-14-2011 11:36 PM
Perl disc maintenance script for Windows - works fine could be improved justinjoseph24 Programming 8 03-24-2008 10:14 PM

LinuxQuestions.org > Forums > Non-*NIX Forums > Programming

All times are GMT -5. The time now is 03:19 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration