Executing other commands

Whenever a command executes another command, it must first set its effective user and group identities to its real user and group identities unless the executed command needs the special access to do its job. If the executed command needs the special access, the executing command must take every possible step to ensure that it executes the correct command with proper parameters and cannot be misled into executing a Trojan Horse.

A Trojan Horse is a command that imposes itself on a process by looking like the needed command. It inherits permissions and other attributes (like file descriptors, environment, and so on), from the executing command, and can use these capabilities to disrupt the system. Measures to prevent Trojan Horse intrusion include the following:

• using full pathnames for execution

• avoiding the system and popen library routines, which use the shell to interpret command lines

• carefully making sure the $PATH, $IFS, and other environment variables are set to safe values whenever the shell must be used

• never allowing special-access rights or file descriptors to survive across an execution of a user-supplied command name