Re^2: setuid system() calls on Solaris 11

in reply to Re: setuid system() calls on Solaris 11
in thread setuid system() calls on Solaris 11

I'm not sure if the replacement you showed would work on your shell due to the redirection. What I would try first is this:

system('/bin/sh', '-p', '-c', '-e',
    "/usr/bin/cp -f $version/$obj $dest 2> /dev/null"
    )==0 or die "system: \$?=$?";
[download]

I've added some error checking. Note that this suffers from potential security issues if those variables contain any unchecked user input! (And potential quoting issues.) I wrote more on that topic, and how to run external commands using modules, here.

Comment on Re^2: setuid system() calls on Solaris 11 Download Code

Replies are listed 'Best First'.
Re^3: setuid system() calls on Solaris 11 by baataboom (Initiate) on Jul 25, 2018 at 22:11 UTC
Using `system( '/bin/sh', '-pc', "cmd string w/optional stderr and stdout red +irection" );` [download] worked! Excellent. What we had experienced in migrating to the newer OS (Solaris 11) was that some of our system() calls were honoring setuid/setgid and some were not. Yet they were all quite similar (i.e. system( "single param string")). And the Perl docs were not clear (to me) regarding the nuances: `If there are no shell metacharacters in the argument, it is split into words and passed directly to "execvp", ...` [download] Anynow, I'm off to make many changes, replacing system() calls and backticks with calls to a ssystem() wrapper function. Thanks all! Mark	[reply] [d/l] [select]
Re^4: setuid system() calls on Solaris 11 by haukex (Archbishop) on Jul 26, 2018 at 08:36 UTC
backticks You may want to look at IPC::System::Simple's `capturex`, a replacement for backticks that allows the same multi-argument calling convention that avoids the shell (allowing you to call the shell explicitly in the same way I showed above).	[reply] [d/l]

In Section Seekers of Perl Wisdom