the importance of using safe interprocess communication

Jamie Heilman
Fri, 8 Feb 2002 03:46:01 -0800

Ben Escoto wrote:

> Hmm, how is the patched version vulnerable to security holes?

I don't think it is as long as /bin/sh -c behaves how you expect it
to, your environment is what you think it is, etc.  Using a Popen3
class would let you capture the errors from the system call, something
which should always be done, *especially* when the program runs with
elevated privileges.  Granted it might be slower assuming popen()
doesn't fork, and your shell is 'smart' enough to just exec without
forking, but honestly /bin/sh -c being offered variable arguments,
untainted or not, just gives me a bad feeling; I'd rather just use
something that I know doesn't ever muck with my command.

I still have no patch to offer though because I've wasted the evening
reading python source code tracking down how many steps even a Popen3
call has to go through before its finally handed to the system.  That
and drinking.  The latter making the former somewhat difficult by the
time I got to PyArg_Parse() and vgetargs1().  And now, bed.

Jamie Heilman         
"Most people wouldn't know music if it came up and bit them on the ass."
                                                        -Frank Zappa