sudo and spaces
daniel at rimspace.net
Thu Sep 24 01:07:03 BST 2009
David Alban <extasia at extasia.org> writes:
> http://search.cpan.org/~landman/Sudo-0.32/lib/Sudo.pm says:
> As this module depends upon IPC::Run, it has all the bugs/limitations
> of IPC::Run. Spaces in file names, executables, and other odd items
> which give IPC::Run fits, will give Sudo fits. We would like to fix
> this, but this requires fixing IPC::Run.
> this sounds to me like maybe a reason not to use it.
I agree: my general policy is never to use software, especially software that
deals with security, written by people who don't really have much of an idea
what they are doing. It leads to tears.
> i suppose i could supply double quotes around any paths potentially having
> whitespace and around other "odd items".
You would be vastly better off, as would 'landman', using the facility of
IPC::Run to pass arguments directly to execve *without* a shell, which handles
things like spaces in filenames perfectly fine.
Oh, um, and looking at the code: the only thing that doesn't handle spaces
properly is the author of the Sudo module, which makes a dogs breakfast of
things before it ever gets close to IPC::Run.
Now, if he had talked about problems caused by executing code on remote
systems via ssh and sudo causing problems, because there you *had* to go
through a remote shell in many cases, it might be less crazy.
> anyone used this module and run into this issue?
No; I can't honestly imagine why I would bother with that rather than just
using IPC::Run or equivalent to directly execute sudo, but even absent that
the author doesn't know a great deal about how to safely achieve what he is
trying to achieve.
 ...and I note there is pretty much no effort to handle this at all.
 ...because, hey, I can't see a single feature that the Sudo module has
that IPC::Run doesn't directly offer.
✣ Daniel Pittman ✉ daniel at rimspace.net ☎ +61 401 155 707
♽ made with 100 percent post-consumer electrons
Looking for work? Love Perl? In Melbourne, Australia? We are hiring.
More information about the london.pm