Subject: system(3) caveat
To: None <tech-userlevel@netbsd.org>
From: Iain Hibbert <plunky@rya-online.net>
List: tech-userlevel
Date: 05/11/2006 11:49:21
Hi,
in system(3) it says
CAVEATS
Never supply the system() function with a command containing any part of
an unsanitized user-supplied string. Shell meta-characters present will
be honored by the sh(1) command interpreter.
and I'm wondering if 'Never' means 'NEVER!', or if its ok to do that in my
case, which is that I'm providing a user program that will act on an event
by running a command that the user provides.. The command is not a suid
program, is there a particular security issue I should be aware of?
iain