question about the safety of os.popen()
Paul Jackson
pj at sgi.com
Thu Sep 9 18:12:59 EDT 1999
|> mail = os.popen("/usr/sbin/sendmail -t", "w")
|>
|> I believe that this method of using os.popen() is relatively
|> safe since it does not pass any user input directly to the
This is not safe, if it might be run by a setuid or setgid
program.
>From my internal SGI mail archives, discussing a quite
unrelated piece of code, comes the following ancient (circa
1994) paragraph, that happens to explain the problem:
|> In the original bug report, and this is popularly known,
|> you set IFS='/:' and run vi, then do a ``preserve'' command
|> which causes vi to run expreserve. expreserve in turn does
|> a popen() to send mail to the user. Becauses popen does
|> something like ``/bin/sh ...'' the IFS goes into effect and
|> turns ``/usr/bin/mail'' into something morally equivalent to
|> ``usr bin mail''. The bad guy has a shell script called
|> ``usr'' in the local directory that then gets run with the
|> permissions of expreserve (setgid sys, big deal!).
As I recall, you end up wanting to purge the environment of more
than just IFS before safely invoking a subshell (os.popen or
os.system)
See also os.fork(), os.execl(), and the Python source popen2.py,
for safer alternatives and implementation ideas (mainly, avoid
the intermediate shell).
Now if you not concerned with safe setuid/gid usage, then I
believe its quite safe - the user can't get anymore done by
confusing your code than they could do directly anyway.
--
=======================================================================
I won't rest till it's the best ... Software Production Engineer
Paul Jackson (pj at sgi.com; pj at usa.net) 3x1373 http://sam.engr.sgi.com/pj
More information about the Python-list
mailing list