without shell
Grant Edwards
grante at visi.com
Fri Jun 10 10:13:05 EDT 2005
On 2005-06-10, Steven D'Aprano <steve at REMOVETHIScyber.com.au> wrote:
> On Sun, 12 Jun 2005 23:16:35 +0530, km wrote:
>
>> hi all,
>>
>> can any linux command be invoked/ executed without using shell (bash) ?
>
> py> import os
> py> status = os.system("ls")
>
> Prints the output of ls and stores the exit code into status.
It's done by invoking the user's SHELL and passing the string
"ls" to it. In the general case, invoking an unknown shell and
passing it a string is fraught with peril.
> py> file_list = os.popen("ls").read()
>
> Stores the output of ls into file_list.
That also executes a shell (same as os.system()), so it's
equally as unreliable and insecure as os.system(). [See the
notes at http://docs.python.org/lib/os-newstreams.html#os-newstreams
that describe popen.]
> Or see the module "commands".
>
>> what abt security concerns ?
>
> Yes, there are serious security concerns. You should be *very* careful
> about executing strings generated by users. You probably don't want your
> program executing something like os.system("rm -rf /").
You've got also got a much better chance of getting what you
expect if you don't invoke a shell, but use os.spawn*
functions instead.
--
Grant Edwards grante Yow! I feel partially
at hydrogenated!
visi.com
More information about the Python-list
mailing list