Safe command line execution

[Zundra Daniel]

[Note: parts of this message were removed to make it a legal post.]

Hi all. I have a application that needs to execute a system call via
command line. However, the problem I'm running into is this particular
command takes a username and password both of which can be any pattern and
combination of special characters. Does anyone know of a way to safely
execute this command with these free form parameters without risk of
malicious code being inadvertently executed? The pattern of the command is
as follows:

/usr/bin/cmd -username #{username} -password #{password}

 

[Henning Bekel]

Does anyone know of a way to safely execute this command with
these free form parameters without risk of malicious code being
inadvertently executed? The pattern of the command is as
follows:

/usr/bin/cmd -username #{username} -password #{password}

Just avoid any shell expansion. This can be done by passing the
arguments to Kernel#system individually:

system("/usr/bin/cmd", "-username", username, "-password",
password)

See the docs for Kernel#system and Kernel#exec.

Henning

 

[David Masover]

/usr/bin/cmd -username #{username} -password #{password}

As others have mentioned, you could do system like this instead:

system '/usr/bin/cmd', '-username', username, '-password', password

But there's a security flaw in the way you're doing this -- chances are, anyone
on the system can read those straight from the system process list. Is there
any way to supply these credentials to that command, other than the
commandline?

 

[Bertram Scharpf]

Hi,

Am Donnerstag, 08. Okt 2009, 04:15:21 +0900 schrieb Zundra Daniel:

/usr/bin/cmd -username #{username} -password #{password}

It has already been said that this is very dangerous. Please check
the command you want to execute for something like ssh's
SSH_ASKPASS environment variable or gpg's --passphrase-fd option.

Bertram

 

[Zundra Daniel]

[Note: parts of this message were removed to make it a legal post.]

Thanks all for the input. Unfortunately there is no other way to execute
this particular script. It is actually a custom written application written
by another team at my company. However, the device this application is
controlling does not allow users access to a shell so correct me if I'm
wrong the risk here are minimal in that regard. The only safeguard I was
looking for which has been answered was against the apache user attempting
to execute some malicious code. If a user happens to gain shell access to
this device we have way bigger problems. Again, thanks everyone for the
input and please let me know if I'm overlooking something.