ado@elsie.UUCP (07/13/86)
In article <1885@brl-smoke.ARPA>, gwyn@BRL.ARPA (VLD/VMB) writes: > int > mkdir( dirname ) > char *dirname; > { > ... > (void) strcat( strcpy( buf, "mkdir 2>/dev/null " ), dirname ); > retval = system( buf ); /* assuming your system() works right */ > ... The above can use a bit of idiot proofing--especially against meta characters in dirname. Below is the version of "mkdir" that went out with the time zone stuff. # /*LINTLIBRARY*/ #include "stdio.h" #ifdef OJBECTID static char sccsid[] = "@(#)mkdir.c 7.2"; #endif extern FILE * popen(); mkdir(name) char * name; { register FILE * fp; register int c; register int oops; if ((fp = popen("sh", "w")) == NULL) return -1; (void) fputs("mkdir 2>&- '", fp); if (name != NULL) while ((c = *name++) != '\0') if (c == '\'') (void) fputs("'\\''", fp); else (void) fputc(c, fp); (void) fputs("'\n", fp); oops = ferror(fp); return (pclose(fp) == 0 && !oops) ? 0 : -1; } -- UNIX and System V are an AT&T Bell Laboratories (or AT&T registered) trademarks. -- UUCP: ..decvax!seismo!elsie!ado ARPA: elsie!ado@seismo.ARPA DEC, VAX, Elsie & Ado are Digital, Borden & Ampex trademarks.
jas@rtech.UUCP (07/14/86)
Keywords:
Regarding "idiot proofing" a mkdir library routine: code like this
if ((fp = popen("sh", "w")) == NULL)
return -1;
(void) fputs("mkdir 2>&- '", fp);
is a security problem for setuid-root (or setuid-anybody) programs
that want to call it. "/bin/sh" and "/bin/mkdir" should be specified,
for reasons that should be clear.
Jim Shankland
..!ihnp4!cpsc6a!\
rtech!jas
..!ucbvax!mtxinu!/