Execute users commands directly instead through a shell

larsewi · larsewi · commit d2842d967deb · 2025-11-28T13:20:34.000+01:00
See ticket for more info. Ticket: ENT-13535 Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech>
diff --git a/cf-agent/verify_users_pam.c b/cf-agent/verify_users_pam.c
@@ -413,7 +413,7 @@ static bool ChangePasswordHashUsingChpasswd(const char *puser, const char *passw
     int status;
     const char *cmd_str = CHPASSWD " -e";
     Log(LOG_LEVEL_VERBOSE, "Changing password hash for user '%s'. (command: '%s')", puser, cmd_str);
-    FILE *cmd = cf_popen_sh(cmd_str, "w");
+    FILE *cmd = cf_popen(cmd_str, "w", true);
     if (!cmd)
     {
         Log(LOG_LEVEL_ERR, "Could not launch password changing command '%s': %s.", cmd_str, GetErrorStr());
@@ -645,12 +645,9 @@ static bool ExecuteUserCommand(const char *puser, const char *cmd, size_t sizeof
 
     Log(LOG_LEVEL_VERBOSE, "%s user '%s'. (command: '%s')", cap_action_msg, puser, cmd);
 
-    int status = system(cmd);
-    if (!WIFEXITED(status) || WEXITSTATUS(status) != 0)
-    {
-        Log(LOG_LEVEL_ERR, "Command returned error while %s user '%s'. (Command line: '%s')", action_msg, puser, cmd);
-        return false;
-    }
+    FILE *fptr = cf_popen(cmd, "w", true);
+    cf_pclose(fptr);
+
     return true;
 }
 
