[ale] C question
Ed Cashin
ecashin at noserose.net
Thu May 22 19:49:06 EDT 2014
OK, well the use case is actually way more complicated than your real
question, so I will confine myself to the question of validation in C.
One way to do it using the standard library but without any regular
expressions is this:
https://github.com/ecashin/testrepo/blob/master/rlhvals.c
gcc -Wall rlhvals.c && ./a.out 12345 abc32 invalid
arg[1] "12345" 5-digit? yes, 5-alphanum? yes
arg[2] "abc32" 5-digit? no, 5-alphanum? yes
arg[3] "invalid" 5-digit? no, 5-alphanum? no
The validation routines are,
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
static int
is_5digit(char *s)
{
char *end;
strtol(s, &end, 10);
return end - s == 5;
}
#define DECIMAL "0123456789"
#define UCASE "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
#define LCASE "abcdefghijklmnopqrstuvwxyz"
static int
is_5alphanum(char *s)
{
return strspn(s, DECIMAL UCASE LCASE) == 5;
}
On Thu, May 22, 2014 at 7:37 PM, Robert L. Harris <robert.l.harris at gmail.com
> wrote:
> The reason for the "system" is just to see what value I'm getting out.
>
> I have a perl script doing a bunch of processing which will be run by a
> couple different users. One aspect of the perl script is to connect to
> another machine and run a command as a specific user. Instead of having
> others know the passwd, etc. I have a hostkey set up from my server as a
> non-privledged user to another system. I want to have the C program setuid
> to the non-privledged user, ssh to the second server and run 1 command with
> the only variable being XXXXX. More convoluted than I want but the safest
> method I can come up with to get just the output I need from the second
> server.
>
>
>
> On Thu, May 22, 2014 at 5:31 PM, Ed Cashin <ecashin at noserose.net> wrote:
>
>> In general, with this kind of stuff, you want to avoid using the
>> shell, so no use of "system" or other library calls that implicitly
>> run a shell. The reason is that most programmers cannot anticipate
>> all the corner cases that allow unexpected things to happen when you
>> run a shell from your C program based on user data.
>>
>> But this extra information is making me less certain that I'm coming
>> up with the best feedback.
>>
>> Does it happen to be the case that you're using C because you want to
>> create an executable that you will make setuid root?
>>
>>
>> On Thu, May 22, 2014 at 7:12 PM, Robert L. Harris
>> <robert.l.harris at gmail.com> wrote:
>> > My main goal is to make sure someone doesn't run this command and pass
>> it
>> > somethign like : "15361; rm -rf ~/*"
>> > I will need another version where XXXXX can be any alpha-numeric
>> character
>> > too but the main concern is the moron doing something stupid.
>> >
>> > Robert
>> >
>> >
>> >
>> > On Thu, May 22, 2014 at 4:40 PM, Ed Cashin <ecashin at noserose.net>
>> wrote:
>> >>
>> >> I'm not at a keyboard now, but strtol could do it all if you provide a
>> >> non-NULL end pointer. (That will make sense on reading the strtol man
>> page.)
>> >> Just subtract the end from the start and compare to 5,after specifying
>> base
>> >> ten.
>> >>
>> >> On May 22, 2014 6:17 PM, "Robert L. Harris" <robert.l.harris at gmail.com
>> >
>> >> wrote:
>> >>>
>> >>>
>> >>> Anyone have a very simple C program source that given a command of :
>> >>>
>> >>> ./Validate XXXXX
>> >>>
>> >>>
>> >>> it will verify that XXXXX is a 5 digit integer and then execute
>> >>>
>> >>> system( "/bin/touch XXXXX");
>> >>>
>> >>>
>> >>>
>> >>> There's much more to it but I'm hung up on this. Unfortunately I'm
>> not a
>> >>> C person.
>> >>>
>> >>> Robert
>> >>>
>> >>>
>> >>> --
>> >>> :wq!
>> >>>
>> >>>
>> ---------------------------------------------------------------------------
>> >>> Robert L. Harris
>> >>>
>> >>> DISCLAIMER:
>> >>> These are MY OPINIONS With Dreams To Be A King,
>> >>> ALONE. I speak for First One Should Be A
>> Man
>> >>> no-one else. - Manowar
>> >>>
>> >>> _______________________________________________
>> >>> Ale mailing list
>> >>> Ale at ale.org
>> >>> http://mail.ale.org/mailman/listinfo/ale
>> >>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> >>> http://mail.ale.org/mailman/listinfo
>> >>>
>> >>
>> >> _______________________________________________
>> >> Ale mailing list
>> >> Ale at ale.org
>> >> http://mail.ale.org/mailman/listinfo/ale
>> >> See JOBS, ANNOUNCE and SCHOOLS lists at
>> >> http://mail.ale.org/mailman/listinfo
>> >>
>> >
>> >
>> >
>> > --
>> > :wq!
>> >
>> ---------------------------------------------------------------------------
>> > Robert L. Harris
>> >
>> > DISCLAIMER:
>> > These are MY OPINIONS With Dreams To Be A King,
>> > ALONE. I speak for First One Should Be A
>> Man
>> > no-one else. - Manowar
>> >
>> > _______________________________________________
>> > Ale mailing list
>> > Ale at ale.org
>> > http://mail.ale.org/mailman/listinfo/ale
>> > See JOBS, ANNOUNCE and SCHOOLS lists at
>> > http://mail.ale.org/mailman/listinfo
>> >
>>
>>
>>
>> --
>> Ed Cashin <ecashin at noserose.net>
>> http://noserose.net/e/
>> http://www.coraid.com/
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>
>
>
> --
> :wq!
> ---------------------------------------------------------------------------
> Robert L. Harris
>
> DISCLAIMER:
> These are MY OPINIONS With Dreams To Be A King,
> ALONE. I speak for First One Should Be A Man
> no-one else. - Manowar
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
--
Ed Cashin <ecashin at noserose.net>
http://noserose.net/e/
http://www.coraid.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20140522/11292cc8/attachment.html>
More information about the Ale
mailing list