Background / Context: I am developing a Linux NAS Server (Like FreeNAS or Rockstor) using Golang, the particular features will be a JSON-REST API so that you can interact with LVM2, shares, packages, etc.
Question: With respect to security, performance, and development time, what are the advantages / disadvantages / best practices of implmenting spawned processes or using a native library for certain features for a program?
Example: For my particular use case, the NAS management system will be using LVM2 to manage volumes. However you can use the CLI to manipulate volumes or you can attempt to use the LVM2 native C API and merge it with Golangs
There are two things that may make using
exec in the different variants a nogo: security and speed.
Security: If you shell out with
system() or friends, you must be absolutely certain that you don't include any strings in the command that may do funny stuff with your command line. It's the same basic problem as SQL code injection, just at a much lower and even more disastrous layer (obligatory XKCD, just replace "'); DROP TABLE Students;--" with valid sh code along the lines of '"; echo "pwnd', well, you get the idea).
Speed: When you shell out to an existing program, you create a new process, and that may be the performance hit you cannot tolerate. It's perfectly ok if the task for which you shell out takes more than a few milliseconds (process creation is somewhere in the range of a millisecond on linux), but if you want more than a thousand calls per second, you definitely need to avoid this overhead.
If these two points are taken care of or proven to be non-issues, then it's perfectly ok to shell out to other processes.