问题描述

system() 和可用于在程序内执行另一个命令.为什么在set-UID程序中system()是危险的，而execve()是安全的?

Both system() and execve() can be used to execute another command inside a program. Why in set-UID programs, system() is dangerous, while execve() is safe ?

推荐答案

系统将调用外壳程序( sh )执行作为参数发送的命令. system的问题，因为外壳行为取决于运行命令的用户.一个小例子:

system will call the shell (sh) to execute the command sent as an argument. The problem with system because the shell behavior depends on the user who run the command. A small example:

创建文件test.c:

#include <stdio.h>

int main(void) {
    if (system ("ls") != 0)
        printf("Error!");
    return 0;
}

然后:

$ gcc test.c -o test

$ sudo chown root:root test

$ sudo chmod +s test

$ ls -l test
-rwsr-sr-x 1 root root 6900 Dec 12 17:53 test

在当前目录中创建一个名为ls的脚本:

Creating a script called ls in your current directory:

$ cat > ls
#!/bin/sh

/bin/sh

$ chmod +x ls

现在:

$ PATH=. ./test
# /usr/bin/id
uid=1000(cuonglm) gid=1000(cuonglm) euid=0(root) egid=0(root) groups=0(root),
24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),105(scanner),
110(bluetooth),111(netdev),999(docker),1000(cuonglm)
# /usr/bin/whoami
root

糟糕，您拥有具有root特权的shell.

Oops, you got a shell with root privileges.

execve 不调用外壳程序.它执行作为第一个参数传递给它的程序.该程序必须是二进制可执行文件或以 shebang 行开头的脚本.

execve does not call a shell. It executes the program that passed to it as first argument. The program must be a binary executable or a script start with shebang line.

这篇关于system()与execve()的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！