For example, what happens if you make sure /bin/sh is a good patched bash, or it's dash instead, but then /usr/local/bin shows up first in PATH and contains an old crusty version of bash and sh, which one does system() use?
It uses /bin/sh, which is hardcoded.
Else, it would fail to execute a binary if the path was empty.
From the man page, system(3):
The system() library function uses fork(2) to create a child process
that executes the shell command specified in command using execl(3) as
follows:
execl("/bin/sh", "sh". "-c", command, (char *) 0);
system() returns after the command has been completed.
The system() library function uses fork(2) to create a child process
that executes the shell command specified in command using execl(3) as
follows:
execl("/bin/sh", "sh". "-c", command, (char *) 0);
system() returns after the command has been completed.