On Fri, 22 Feb 2002, Stewart Evans wrote:
> Pardon me for asking but what is the correct way to access system functions
> such as mount, df, format, umount and ls from a web panel
> with error handling
>
> example cut from reboot
>
> esmith::util::backgroundCommand (8, "/sbin/e-smith/signal-event",
> "reboot");
This is if you want to initiate a background event, which you will only
want to do rarely. "reboot" is one example, since you want to return
immediately and tell the user that it's about to happen.
> Example from backup
>
> system("/sbin/e-smith/signal-event", "conf-backup") == 0
> or die("Error occured during conf-backup event.\n");
This is the way that you will usually do it.
> this fails to work ( with/out -t )
>
> system("mount /mnt/floppy" ) == 0
> or die ("Error occurred while mounting floppy.\n");
And this is to be avoided. Firstly you should use a full path name, so
that you don't depend on the PATH variable. It's also more efficient to
use the multiple argument form of system(), as you don't need to call the
shell to parse the string "mount /mnt/floppy" into seperate arguments.
It's also safer to use the multiple argument form of system. If you were
to do system("/bin/mount $device"), then you might open up the possibility
to do system("/bin/mount /mnt/floppy ; rm -rf /") if an attacker could
somehow set/change the value of $device. If you do system("/bin/mount",
$device), then the worst thing that happens is mount writes:
mount: can't find /mnt/floppy ; rm -rf / in /etc/fstab or /etc/mtab
to standard error.
--
Charlie Brady [EMAIL PROTECTED]
Lead Product Developer
Network Server Solutions Group http://www.e-smith.com/
Mitel Networks Corporation http://www.mitel.com/
Phone: +1 (613) 368 4376 or 564 8000 Fax: +1 (613) 564 7739
--
Please report bugs to [EMAIL PROTECTED]
Please mail [EMAIL PROTECTED] (only) to discuss security issues
Support for registered customers and partners to [EMAIL PROTECTED]
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org
