MORE SECURE SYSTEM

The file msystem.c contains a version of system(3), popen(3), and
pclose(3) that provide considerably more security than the standard
C functions.  They are named msystem, mpopen, and mpclose, respectively.
While I don't guarantee them to be PERFECTLY secure, they do constrain
the environment of the child quite tightly, tightly enough to close the
obvious holes.

By default, when you call msystem(), you get the following
environment:

	PATH=/bin:/usr/bin:/usr/ucb:/etc
	SHELL=/bin/sh
	IFS=" \t\n"
	umask 077

(no other environment variables are defined), and the EUID and EGID are
reset to the RUID and RGID, respectively.  All file descriptors are closed
across the exec.

It does NOT attempt to parse the command and determine if what you are doing
should be allowed.  This is because there are enough shells with different
enough syntaxes so that writing one of those beasts would be a library in
itself!  Once you do that, though, these routines will let you execute those
commands more securely than the standard libraries.

Use msystem, mpopen, and mpclose exactly like system(3), popen(3), and
pclose(3).

==========
COMPILING

Use the Makefile.  Before you do anything, look in the Makefile for system-
specific things to set.  Then:

	make lib	to make the libmsystem.a library
	make tester	to build a test program
	make testfd	to build another test program
	make all	to make libmsystem.a, tester, and testfd
	make clobber	clean everytWthe directory up

==========
ALTERING THE ENVIRONMENT AT RUN TIME

This default environment can be tailored to your liking by a series of
functions:

le_set("VAR=XXX")
	define the environment variable VAR to have value XXX in
	the subprocess environment
le_set("VAR=")
	define the environment variable VAR to have an empty value
	in the subprocess environment
le_set("VAR")
	define the environment variable VAR to have the same value
	in the subprocess environment as it does in the current environment
le_unset("VAR")
	delete the environment variable VAR from the subprocess environment
le_umask(UMASK)
	set the subprocess umask to UMASK (integer)

le_openfd(n)
	do not close file descriptor n before running the subprocess

le_closefd(n)
	close file descriptor n before running the subprocess; this is the
	default, but this is provided to reset things after calling le_openfd

le_uid(UID)
	reset the effective (and real, if root) uid to UID; if uid = -1,
	it's not changed, if < -1, it's reset to the process effective uid

le_gid(GID)
	reset the effective (and real, if root) gid to GID; if gid = -1,
	it's not changed, if < -1, it's reset to the process effective gid

All return:
	SE_NONE		no error
	SE_NOMEM	couldn't do it; ran out of memory
	SE_ENVVAR	couldn't do it; too many environment vars defined
	SE_BADUMASK	umask not reset; not given a valid number
	SE_BADFD	no such file descriptor

If you want error messages tobe printed to stderr, set the global variable

	int le_verbose

to 1.

================
CUSTOMIZING THE DEFAULTS

If you don't like the default settings, you need to look in one of two places:

This contains the macros (look towards the bottom); they can all
be overridden at compile time.  If you want to add new permanent
environment variables (ie, the ones set by default), add a macro
like the DEF_PATH one, then go into msystem.c and add the macro to
the array nvfix.  Presto!  You've done it.

================
SYSTEMS IT HAS BEEN TESTED ON

SunOS 4.1.3
IRIX 4.0.5
ULTRIX 4.3A
	If you get it running on other systems, let me know, please
	(ESPECIALLY if you make changes, so I can incorporate them!)

================
AUTHOR, VERSION, DISCLAIMER, ETC.


Matt Bishop
Department of Computer Science
University of California, Davis
Davis, CA  95616-8562

phone: (916) 752-8060
fax: (916) 752-4767
email: bishop@cs.ucdavis.edu

This code is placed in the public domain.  I do ask that
you keep my name associated with it, that you not represent
it as written by you, and that you preserve these comments.
This software is provided "as is" and without any guarantees
of any sort.

================
HISTORY

Version 1.0		May 19, 1994		Matt Bishop
	Original version, taken and modified from passwd+ beta

