Beefy Boxes and Bandwidth Generously Provided by pair Networks
Syntactic Confectionery Delight

Re: setuid system() calls on Solaris 11

by baataboom (Initiate)
on Jul 25, 2018 at 15:11 UTC ( #1219267=note: print w/replies, xml ) Need Help??

in reply to setuid system() calls on Solaris 11

So replacing something like this:
if (system ( "/usr/bin/cp -f $version/$obj $dest 2> /dev/null")) {
if (system ( '/usr/bin/cp', '-f', "$version/$obj", $dest '2>', '/dev/null')) {
would work? And maybe this would be more of a drop in replacement, i.e. keep /bin/sh in the call to avoid behavior diffs from changing to a no-shell execution?
if (system ( /bin/sh', '-p', '-c', '/usr/bin/cp', '-f', "$version/$obj", $dest '2>', '/dev/null')) {

Replies are listed 'Best First'.
Re^2: setuid system() calls on Solaris 11
by hippo (Chancellor) on Jul 25, 2018 at 15:29 UTC
    system ( "/usr/bin/cp -f $version/$obj $dest 2> /dev/null")

    The 2> /dev/null is a shell construct for redirecting FD 2 so you would need a shell to handle that. However, why would you want to redirect FD 2 to /dev/null anyway? Surely you want to log the details of any failure?

    Furthermore, why fork out to cp when we have File::Copy in core?

Re^2: setuid system() calls on Solaris 11
by haukex (Chancellor) on Jul 25, 2018 at 18:26 UTC

    I'm not sure if the replacement you showed would work on your shell due to the redirection. What I would try first is this:

    system('/bin/sh', '-p', '-c', '-e', "/usr/bin/cp -f $version/$obj $dest 2> /dev/null" )==0 or die "system: \$?=$?";

    I've added some error checking. Note that this suffers from potential security issues if those variables contain any unchecked user input! (And potential quoting issues.) I wrote more on that topic, and how to run external commands using modules, here.

      system( '/bin/sh', '-pc', "cmd string w/optional stderr and stdout red +irection" );
      worked! Excellent. What we had experienced in migrating to the newer OS (Solaris 11) was that some of our system() calls were honoring setuid/setgid and some were not. Yet they were all quite similar (i.e. system( "single param string")). And the Perl docs were not clear (to me) regarding the nuances:
      If there are no shell metacharacters in the argument, it is split into words and passed directly to "execvp", ...
      Anynow, I'm off to make many changes, replacing system() calls and backticks with calls to a ssystem() wrapper function. Thanks all! Mark

        You may want to look at IPC::System::Simple's capturex, a replacement for backticks that allows the same multi-argument calling convention that avoids the shell (allowing you to call the shell explicitly in the same way I showed above).

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://1219267]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others contemplating the Monastery: (6)
As of 2019-10-18 23:40 GMT
Find Nodes?
    Voting Booth?