There are dangers in starting scripts from programs which run with root
privileges. Normally, shell commands are started by executing them with
the help of a /bin/sh -c command. The trouble with this is that
it leaves one open to a variety of attacks. One example is fooling the
shell into starting foreign programs by manipulating the IFS
variable to treat '/' as a separator. You can ask cfengine to start
programs directly, without involving an intermediary shell, by setting
the useshell variable to false. The disadvantage is that you will
not be able to use shell directives such as | and > in
your commands. The owner=uid directive executes shell commands
as a special user, allowing you to safely run scripts without
root privilege.
Please take a moment to fill out
this visitor survey You can help support this site by
visiting the advertisers that sponsor it! (only once each, though)
