Problem with exec shell_escape option

Brian Candler b.candler at
Thu Dec 22 12:54:06 CET 2016

On 21/12/2016 18:51, Alan DeKok wrote:
>    It should work.  I'll see if I can add some tests.
Thank you.
>    But in general, passing user input to an exec'd program is a bad idea.  It's useful, but there are just too many opportunities for the user to do something bad.


The external password change program I've written isn't a shell script.

As far as I can tell from source: the 'exec' xlat expansion ultimately 
calls execve(prog, args), i.e. it doesn't invoke a shell itself.  Is 
that right?



More information about the Freeradius-Users mailing list