Home > Archive > Unix Programming > February 2007 > safe syscal?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
|
| Anyone know of a safe system() routine for *nix?
Zach
| |
| Eric Sosman 2007-02-05, 7:05 pm |
| Zach wrote On 02/05/07 13:12,:
> Anyone know of a safe system() routine for *nix?
Try system(). ;-)
(In other words, what do you mean by "safe?" Safe
for use inside a signal handler, safe in a multi-threaded
program, safe from abuse by hackers who diddle the shell
environment variables, safe when used as directed, safe
because the shortstop missed the tag, ...?)
--
Eric.Sosman@sun.com
| |
| William Ahern 2007-02-05, 7:05 pm |
| On Mon, 05 Feb 2007 10:12:27 -0800, Zach wrote:
> Anyone know of a safe system() routine for *nix?
Well, you can't really have a "safe" replacement for system(3). It's
features are its liabilities, the only difference is in the context they're
being used.
A long time ago I wrote some routines which tried to merge the interfaces
of execve()/execl() and popen(). In this case, I was trying to create a
"safe" popen()--similar to system(), not wanting to have to deal with
shell attacks. Example usage:
FILE *fp;
fp = popenl("/bin/ls","ls","/tmp",NULL,"2>/dev/null >%s","/tmp/ls.out");
The I/O redirection was handled by an internal parser. (Whether this is
"safer" than using system() is left up to the reader. ;)
http://www.25thandclement.com/~will...s/cnippets.html
| |
|
| On Feb 5, 2:25 pm, Eric Sosman <Eric.Sos...@sun.com> wrote:
>
> Try system(). ;-)
Hi Eric,
Doh :)
> (In other words, what do you mean by "safe?" Safe
> for use inside a signal handler, safe in a multi-threaded
> program, safe from abuse by hackers who diddle the shell
> environment variables, safe when used as directed, safe
> because the shortstop missed the tag, ...?)
I'd read in some security books recently about the dangers of using
vanilla system() calls as crackers could use this in exploits. So I
was curious if any type of wrapper had been developed for it. I looked
in the POSIX manual but didn't see anything mentioned.
Zach
| |
|
| On Feb 5, 4:49 pm, William Ahern <will...@25thandClement.com> wrote:
> The I/O redirection was handled by an internal parser. (Whether this is
> "safer" than using system() is left up to the reader. ;)
>
> http://www.25thandclement.com/~will...s/cnippets.html
Thanks I'll take a look at this William.
Zach
| |
| Eric Sosman 2007-02-05, 7:05 pm |
| Zach wrote On 02/05/07 17:55,:
> On Feb 5, 2:25 pm, Eric Sosman <Eric.Sos...@sun.com> wrote:
>
>
>
> Hi Eric,
>
> Doh :)
>
>
>
>
> I'd read in some security books recently about the dangers of using
> vanilla system() calls as crackers could use this in exploits. So I
> was curious if any type of wrapper had been developed for it. I looked
> in the POSIX manual but didn't see anything mentioned.
Thanks for the clarification. As I understand it (and
I'm definitely not a security expert), anything that runs a
sub-shell would be vulnerable to the same attacks system()
is. Forking and executing a non-shell closes off some of
those attacks, but not all -- and it's difficult to tell
whether a file is or isn't a shell script when the hacker
is "outside" your program, re-targetting symlinks in hopes
of catching the moment between your determination that a
file is safe and the moment when you actually exec it ...
In short, my (limited) understanding is that the kinds
of attacks used against system() can't really be fixed by
"a better system()" but require a more comprehensive defense.
To learn more, I'd suggest you Google "Unix security" -- a
lot of what you'll find is about network and file system
security, but I bet there'll be some fruitful links.
--
Eric.Sosman@sun.com
| |
| William Ahern 2007-02-05, 7:05 pm |
| On Mon, 05 Feb 2007 14:57:18 -0800, Zach wrote:
> On Feb 5, 4:49 pm, William Ahern <will...@25thandClement.com> wrote:
>
> Thanks I'll take a look at this William.
>
If you aren't using redirection, and aren't using the shell for anything,
then the answer to your original post is to use fork() and execl()
alone, executing the program directly (as opposed to "sh -c
'my_program'", which is what system() does). In Perl, for instance,
you almost always want to pass a list of arguments to the system
subroutine call, in which case Perl bypasses the C system() call--and
consequently the shell--altogether, likewise by using fork() and execl()
directly. For C, you just need to create another routine which does
this for you. fork(), then the child calls execl() with your arguments, and
the parent blocks on waitpid(). Many programs do this inline, since the
abstraction isn't useful else where in that code base, and the extra
amount of code is nominal.
All the shell attack exploits are gone because the shell is never invoked.
| |
| Ivan Novick 2007-02-05, 7:05 pm |
| On Feb 5, 2:55 pm, "Zach" <net...@gmail.com> wrote:
> On Feb 5, 2:25 pm, Eric Sosman <Eric.Sos...@sun.com> wrote:
>
>
> I'd read in some security books recently about the dangers of using
> vanilla system() calls as crackers could use this in exploits. So I
> was curious if any type of wrapper had been developed for it. I looked
> in the POSIX manual but didn't see anything mentioned.
This assumes you are getting input from the application as to what
command you are passing to system no?
If I call system in my program, but the entire command line I pass to
system is something I create without any input text from the user,
than there is no chance of running something bad....
Ivan Novick
http://www.0x4849.net
| |
| Eric Sosman 2007-02-06, 4:08 am |
| Eric Sosman wrote:
> [...]
> In short, my (limited) understanding is that the kinds
> of attacks used against system() can't really be fixed by
> "a better system()" but require a more comprehensive defense.
> To learn more, I'd suggest you Google "Unix security" -- a
> lot of what you'll find is about network and file system
> security, but I bet there'll be some fruitful links.
Found one such (I *knew* I had a bookmark somewhere):
http://en.tldp.org/HOWTO/Secure-Programs-HOWTO/
Section 8 discusses many of the issues affecting system() and
related services, and what you can do about them.
--
Eric Sosman
esosman@acm-dot-org.invalid
| |
|
| On Feb 5, 11:13 pm, Eric Sosman <esos...@acm-dot-org.invalid> wrote:
>
> Found one such (I *knew* I had a bookmark somewhere):
>
> http://en.tldp.org/HOWTO/Secure-Programs-HOWTO/
>
> Section 8 discusses many of the issues affecting system() and
> related services, and what you can do about them.
This is great stuff. Thanks Eric.
Zach
|
|
|
|
|