[Portland] Statically linkable library
Peter Åstrand
astrand at cendio.se
Wed Aug 1 12:59:36 PDT 2007
On Tue, 31 Jul 2007, Aniket Ray wrote:
> I want to perform the operations done by XDG utilities from within
> native code. Accessing the shell from within the code and running
> scripts without the user's knowledge is not the best thing to do.
> There's also a scope for injection attacks against the software by
> malicious parties (if calls to the shell are made from within the code).
> Secure deployment of the shell scripts is also an issue. These problems
> would certainly make a static library better suited for my needs.
As long as you are calling a known script (say, one which you are
shipping) and calls the script with fixed or verified arguments, you
should be safe. Calling a shell script is not really more dangerous than
calling a "real" binary.
What's dangerous is having a shell evaluate a command line from an
untrusted source.
So I think you should be safe. Calling shell scripts from native code is
actually quite common on Linux. (A little bit too common, but that's
another story.)
Regards,
---
Peter Åstrand ThinLinc Chief Developer
Cendio AB http://www.cendio.se
Wallenbergs gata 4
583 30 Linköping Phone: +46-13-21 46 00
More information about the Portland
mailing list