[ale] C question

Robert L. Harris robert.l.harris at gmail.com
Thu May 22 19:37:32 EDT 2014 

The reason for the "system" is just to see what value I'm getting out.

I have a perl script doing a bunch of processing which will be run by a
couple different users.  One aspect of the perl script is to connect to
another machine and run a command as a specific user.  Instead of having
others know the passwd, etc.  I have a hostkey set up from my server as a
non-privledged user to another system.  I want to have the C program setuid
to the non-privledged user, ssh to the second server and run 1 command with
the only variable being XXXXX.  More convoluted than I want but the safest
method I can come up with to get just the output I need from the second
server.



On Thu, May 22, 2014 at 5:31 PM, Ed Cashin <ecashin at noserose.net> wrote:

> In general, with this kind of stuff, you want to avoid using the
> shell, so no use of "system" or other library calls that implicitly
> run a shell.  The reason is that most programmers cannot anticipate
> all the corner cases that allow unexpected things to happen when you
> run a shell from your C program based on user data.
>
> But this extra information is making me less certain that I'm coming
> up with the best feedback.
>
> Does it happen to be the case that you're using C because you want to
> create an executable that you will make setuid root?
>
>
> On Thu, May 22, 2014 at 7:12 PM, Robert L. Harris
> <robert.l.harris at gmail.com> wrote:
> > My main goal is to make sure someone doesn't run this command and pass it
> > somethign like :     "15361; rm -rf ~/*"
> > I will need another version where XXXXX can be any alpha-numeric
> character
> > too but the main concern is the moron doing something stupid.
> >
> > Robert
> >
> >
> >
> > On Thu, May 22, 2014 at 4:40 PM, Ed Cashin <ecashin at noserose.net> wrote:
> >>
> >> I'm not at a keyboard now, but strtol could do it all if you provide a
> >> non-NULL end pointer. (That will make sense on reading the strtol man
> page.)
> >> Just subtract the end from the start and compare to 5,after specifying
> base
> >> ten.
> >>
> >> On May 22, 2014 6:17 PM, "Robert L. Harris" <robert.l.harris at gmail.com>
> >> wrote:
> >>>
> >>>
> >>> Anyone have a very simple C program source that given a command of :
> >>>
> >>> ./Validate XXXXX
> >>>
> >>>
> >>> it will verify that XXXXX is a 5 digit integer and then execute
> >>>
> >>> system( "/bin/touch XXXXX");
> >>>
> >>>
> >>>
> >>> There's much more to it but I'm hung up on this.  Unfortunately I'm
> not a
> >>> C person.
> >>>
> >>> Robert
> >>>
> >>>
> >>> --
> >>> :wq!
> >>>
> >>>
> ---------------------------------------------------------------------------
> >>> Robert L. Harris
> >>>
> >>> DISCLAIMER:
> >>>       These are MY OPINIONS             With Dreams To Be A King,
> >>>        ALONE.  I speak for                      First One Should Be A
> Man
> >>>        no-one else.                                     - Manowar
> >>>
> >>> _______________________________________________
> >>> Ale mailing list
> >>> Ale at ale.org
> >>> http://mail.ale.org/mailman/listinfo/ale
> >>> See JOBS, ANNOUNCE and SCHOOLS lists at
> >>> http://mail.ale.org/mailman/listinfo
> >>>
> >>
> >> _______________________________________________
> >> Ale mailing list
> >> Ale at ale.org
> >> http://mail.ale.org/mailman/listinfo/ale
> >> See JOBS, ANNOUNCE and SCHOOLS lists at
> >> http://mail.ale.org/mailman/listinfo
> >>
> >
> >
> >
> > --
> > :wq!
> >
> ---------------------------------------------------------------------------
> > Robert L. Harris
> >
> > DISCLAIMER:
> >       These are MY OPINIONS             With Dreams To Be A King,
> >        ALONE.  I speak for                      First One Should Be A Man
> >        no-one else.                                     - Manowar
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://mail.ale.org/mailman/listinfo/ale
> > See JOBS, ANNOUNCE and SCHOOLS lists at
> > http://mail.ale.org/mailman/listinfo
> >
>
>
>
> --
>   Ed Cashin <ecashin at noserose.net>
>   http://noserose.net/e/
>   http://www.coraid.com/
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>



-- 
:wq!
---------------------------------------------------------------------------
Robert L. Harris

DISCLAIMER:
      These are MY OPINIONS             With Dreams To Be A King,
       ALONE.  I speak for                      First One Should Be A Man
       no-one else.                                     - Manowar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20140522/97a0d9d2/attachment-0001.html>

More information about the Ale mailing list