Xref: utzoo comp.unix.questions:31153 comp.lang.c:39142
Path: utzoo!utgpu!news-server.csri.toronto.edu!bonnie.concordia.ca!uunet!zaphod.mps.ohio-state.edu!swrinde!mips!pacbell.com!att!princeton!phoenix.Princeton.EDU!subbarao
From: subbarao@phoenix.Princeton.EDU (Kartik Subbarao)
Newsgroups: comp.unix.questions,comp.lang.c
Subject: Re: UNIX commands in C
Message-ID: <azXkYHbe/UUYI@idunno.Princeton.EDU>
Date: 9 May 91 14:12:55 GMT
References: <24527@well.sf.ca.us> <REARL.91May1113957@nutrimat.gnu.ai.mit.edu> <751.imc@uk.ac.ox.prg>
Sender: news@idunno.Princeton.EDU
Reply-To: subbarao@phoenix.Princeton.EDU (Kartik Subbarao)
Organization: American Chemical Society
Lines: 34

In article <751.imc@uk.ac.ox.prg> imc@prg.ox.ac.uk (Ian Collier) writes:
>In article <REARL.91May1113957@nutrimat.gnu.ai.mit.edu>, rearl@gnu.ai.mit.edu (Robert Earl) wrote:
>>In article <24527@well.sf.ca.us> ron@well.sf.ca.us (Ronald Hayden) writes:
>>|   #include <stdio.h>
>>|
>>|   main ()
>>|   {
>>|    printf("\nTesting the UNIX 'who' command --\n");
>>|    system("who");
>>|    printf("\nDone.\n");
>>|    exit(1);
>>|   }

>Also, that should really be "/bin/who" rather than just "who", unless
>you are going to set the path explicitly in the program. Otherwise the
>program could break on someone else's machine if they do not have /bin
>in their path (unlikely) or if some other random program called "who"

>appears before /bin/who in the path. If you do this in an suid program
>be absolutely certain to specify the path, or else this creates a
>security loophole.

Ha! Using system() in any setuid program itself, regardless of how you invoke
the program, leaves a major security hole.


			-Kartik

--
internet% ypwhich

subbarao@phoenix.Princeton.EDU -| Internet
kartik@silvertone.Princeton.EDU (NeXT mail)  
SUBBARAO@PUCC.BITNET			          - Bitnet