>    in system(3) it says

> CAVEATS
>      Never supply the system() function with a command containing any part of
>      an unsanitized user-supplied string.  Shell meta-characters present will
>      be honored by the sh(1) command interpreter.

> and I'm wondering if 'Never' means 'NEVER!', or if its ok to do that
> in my case, which is that I'm providing a user program that will act
> on an event by running a command that the user provides..

Provided all you pass to system() is the user-provided string, you
should be OK.  The warning is against things like
	sprintf(cmd,"telnet %s",user_provided_hostname);
	system(cmd);
without first verifying that user_provided_hostname is free of shell
metacharacters.

> The command is not a suid program, is there a particular security
> issue I should be aware of?

The only one that comes to mind is that this allows the user to run
arbitrary shell commands.  This is not normally a risk, but if this
gets used in an environment where some users have restricted shells
that allow them to execute only certain commands, it could open up a
way for them to bypass that restriction.

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML	       mouse@rodents.montreal.qc.ca
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B