Execute users commands directly instead through a shell

larsewi · larsewi · commit 706ffc527be6 · 2025-11-28T13:25:39.000+01:00
See ticket for more info. Ticket: ENT-13535 Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech>
diff --git a/cf-agent/verify_users_pam.c b/cf-agent/verify_users_pam.c
@@ -413,7 +413,7 @@ static bool ChangePasswordHashUsingChpasswd(const char *puser, const char *passw
     int status;
     const char *cmd_str = CHPASSWD " -e";
     Log(LOG_LEVEL_VERBOSE, "Changing password hash for user '%s'. (command: '%s')", puser, cmd_str);
-    FILE *cmd = cf_popen_sh(cmd_str, "w");
+    FILE *cmd = cf_popen(cmd_str, "w", true);
     if (!cmd)
     {
         Log(LOG_LEVEL_ERR, "Could not launch password changing command '%s': %s.", cmd_str, GetErrorStr());
@@ -645,12 +645,14 @@ static bool ExecuteUserCommand(const char *puser, const char *cmd, size_t sizeof
 
     Log(LOG_LEVEL_VERBOSE, "%s user '%s'. (command: '%s')", cap_action_msg, puser, cmd);
 
-    int status = system(cmd);
-    if (!WIFEXITED(status) || WEXITSTATUS(status) != 0)
+    FILE *fptr = cf_popen(cmd, "w", true);
+    if (!fptr)
     {
         Log(LOG_LEVEL_ERR, "Command returned error while %s user '%s'. (Command line: '%s')", action_msg, puser, cmd);
         return false;
     }
+    cf_pclose(fptr);
+
     return true;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -413,7 +413,7 @@ static bool ChangePasswordHashUsingChpasswd(const char puser, const char passw`
`413`	`413`	`int status;`
`414`	`414`	`const char *cmd_str = CHPASSWD " -e";`
`415`	`415`	`Log(LOG_LEVEL_VERBOSE, "Changing password hash for user '%s'. (command: '%s')", puser, cmd_str);`
`416`		`- FILE *cmd = cf_popen_sh(cmd_str, "w");`
	`416`	`+ FILE *cmd = cf_popen(cmd_str, "w", true);`
`417`	`417`	`if (!cmd)`
`418`	`418`	`{`
`419`	`419`	`Log(LOG_LEVEL_ERR, "Could not launch password changing command '%s': %s.", cmd_str, GetErrorStr());`
`@@ -645,12 +645,14 @@ static bool ExecuteUserCommand(const char puser, const char cmd, size_t sizeof`
`645`	`645`
`646`	`646`	`Log(LOG_LEVEL_VERBOSE, "%s user '%s'. (command: '%s')", cap_action_msg, puser, cmd);`
`647`	`647`
`648`		`- int status = system(cmd);`
`649`		`- if (!WIFEXITED(status) \|\| WEXITSTATUS(status) != 0)`
	`648`	`+ FILE *fptr = cf_popen(cmd, "w", true);`
	`649`	`+ if (!fptr)`
`650`	`650`	`{`
`651`	`651`	`Log(LOG_LEVEL_ERR, "Command returned error while %s user '%s'. (Command line: '%s')", action_msg, puser, cmd);`
`652`	`652`	`return false;`
`653`	`653`	`}`
	`654`	`+ cf_pclose(fptr);`
	`655`	`+`
`654`	`656`	`return true;`
`655`	`657`	`}`
`656`	`658`