[ale] C question

Ed Cashin ecashin at noserose.net
Thu May 22 19:49:06 EDT 2014


OK, well the use case is actually way more complicated than your real
question, so I will confine myself to the question of validation in C.

One way to do it using the standard library but without any regular
expressions is this:

  https://github.com/ecashin/testrepo/blob/master/rlhvals.c

  gcc -Wall rlhvals.c && ./a.out 12345 abc32 invalid

   arg[1] "12345" 5-digit? yes, 5-alphanum? yes
   arg[2] "abc32" 5-digit? no, 5-alphanum? yes
   arg[3] "invalid" 5-digit? no, 5-alphanum? no

The validation routines are,

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

static int
is_5digit(char *s)
{
char *end;

strtol(s, &end, 10);
return end - s == 5;
}

#define DECIMAL "0123456789"
#define UCASE "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
#define LCASE "abcdefghijklmnopqrstuvwxyz"

static int
is_5alphanum(char *s)
{
return strspn(s, DECIMAL UCASE LCASE) == 5;
}




On Thu, May 22, 2014 at 7:37 PM, Robert L. Harris <robert.l.harris at gmail.com
> wrote:

> The reason for the "system" is just to see what value I'm getting out.
>
> I have a perl script doing a bunch of processing which will be run by a
> couple different users.  One aspect of the perl script is to connect to
> another machine and run a command as a specific user.  Instead of having
> others know the passwd, etc.  I have a hostkey set up from my server as a
> non-privledged user to another system.  I want to have the C program setuid
> to the non-privledged user, ssh to the second server and run 1 command with
> the only variable being XXXXX.  More convoluted than I want but the safest
> method I can come up with to get just the output I need from the second
> server.
>
>
>
> On Thu, May 22, 2014 at 5:31 PM, Ed Cashin <ecashin at noserose.net> wrote:
>
>> In general, with this kind of stuff, you want to avoid using the
>> shell, so no use of "system" or other library calls that implicitly
>> run a shell.  The reason is that most programmers cannot anticipate
>> all the corner cases that allow unexpected things to happen when you
>> run a shell from your C program based on user data.
>>
>> But this extra information is making me less certain that I'm coming
>> up with the best feedback.
>>
>> Does it happen to be the case that you're using C because you want to
>> create an executable that you will make setuid root?
>>
>>
>> On Thu, May 22, 2014 at 7:12 PM, Robert L. Harris
>> <robert.l.harris at gmail.com> wrote:
>> > My main goal is to make sure someone doesn't run this command and pass
>> it
>> > somethign like :     "15361; rm -rf ~/*"
>> > I will need another version where XXXXX can be any alpha-numeric
>> character
>> > too but the main concern is the moron doing something stupid.
>> >
>> > Robert
>> >
>> >
>> >
>> > On Thu, May 22, 2014 at 4:40 PM, Ed Cashin <ecashin at noserose.net>
>> wrote:
>> >>
>> >> I'm not at a keyboard now, but strtol could do it all if you provide a
>> >> non-NULL end pointer. (That will make sense on reading the strtol man
>> page.)
>> >> Just subtract the end from the start and compare to 5,after specifying
>> base
>> >> ten.
>> >>
>> >> On May 22, 2014 6:17 PM, "Robert L. Harris" <robert.l.harris at gmail.com
>> >
>> >> wrote:
>> >>>
>> >>>
>> >>> Anyone have a very simple C program source that given a command of :
>> >>>
>> >>> ./Validate XXXXX
>> >>>
>> >>>
>> >>> it will verify that XXXXX is a 5 digit integer and then execute
>> >>>
>> >>> system( "/bin/touch XXXXX");
>> >>>
>> >>>
>> >>>
>> >>> There's much more to it but I'm hung up on this.  Unfortunately I'm
>> not a
>> >>> C person.
>> >>>
>> >>> Robert
>> >>>
>> >>>
>> >>> --
>> >>> :wq!
>> >>>
>> >>>
>> ---------------------------------------------------------------------------
>> >>> Robert L. Harris
>> >>>
>> >>> DISCLAIMER:
>> >>>       These are MY OPINIONS             With Dreams To Be A King,
>> >>>        ALONE.  I speak for                      First One Should Be A
>> Man
>> >>>        no-one else.                                     - Manowar
>> >>>
>> >>> _______________________________________________
>> >>> Ale mailing list
>> >>> Ale at ale.org
>> >>> http://mail.ale.org/mailman/listinfo/ale
>> >>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> >>> http://mail.ale.org/mailman/listinfo
>> >>>
>> >>
>> >> _______________________________________________
>> >> Ale mailing list
>> >> Ale at ale.org
>> >> http://mail.ale.org/mailman/listinfo/ale
>> >> See JOBS, ANNOUNCE and SCHOOLS lists at
>> >> http://mail.ale.org/mailman/listinfo
>> >>
>> >
>> >
>> >
>> > --
>> > :wq!
>> >
>> ---------------------------------------------------------------------------
>> > Robert L. Harris
>> >
>> > DISCLAIMER:
>> >       These are MY OPINIONS             With Dreams To Be A King,
>> >        ALONE.  I speak for                      First One Should Be A
>> Man
>> >        no-one else.                                     - Manowar
>> >
>> > _______________________________________________
>> > Ale mailing list
>> > Ale at ale.org
>> > http://mail.ale.org/mailman/listinfo/ale
>> > See JOBS, ANNOUNCE and SCHOOLS lists at
>> > http://mail.ale.org/mailman/listinfo
>> >
>>
>>
>>
>> --
>>   Ed Cashin <ecashin at noserose.net>
>>   http://noserose.net/e/
>>   http://www.coraid.com/
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>
>
>
> --
> :wq!
> ---------------------------------------------------------------------------
> Robert L. Harris
>
> DISCLAIMER:
>       These are MY OPINIONS             With Dreams To Be A King,
>        ALONE.  I speak for                      First One Should Be A Man
>        no-one else.                                     - Manowar
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>


-- 
  Ed Cashin <ecashin at noserose.net>
  http://noserose.net/e/
  http://www.coraid.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20140522/11292cc8/attachment.html>


More information about the Ale mailing list