|Age||Commit message (Collapse)||Author||Lines|
This completes the alternate backend support that was previously added
to the getpw* and getgr* functions. Unlike those, though, it
unconditionally queries nscd. Any groups from nscd that aren't in the
/etc/groups file are added to the returned list, and any that are
present in the file are ignored. The purpose of this behavior is to
provide a view of the group database consistent with what is observed
by the getgr* functions. If group memberships reported by nscd were
honored when the corresponding group already has a definition in the
/etc/groups file, the user's getgrouplist-based membership in the
group would conflict with their non-membership in the reported
gr_mem for the group.
The changes made also make getgrouplist thread-safe and eliminate its
clobbering of the global getgrent state.
the memory model we use internally for atomics permits plain loads of
values which may be subject to concurrent modification without
requiring that a special load function be used. since a compiler is
free to make transformations that alter the number of loads or the way
in which loads are performed, the compiler is theoretically free to
break this usage. the most obvious concern is with atomic cas
constructs: something of the form tmp=*p;a_cas(p,tmp,f(tmp)); could be
transformed to a_cas(p,*p,f(*p)); where the latter is intended to show
multiple loads of *p whose resulting values might fail to be equal;
this would break the atomicity of the whole operation. but even more
fundamental breakage is possible.
with the changes being made now, objects that may be modified by
atomics are modeled as volatile, and the atomic operations performed
on them by other threads are modeled as asynchronous stores by
hardware which happens to be acting on the request of another thread.
such modeling of course does not itself address memory synchronization
between cores/cpus, but that aspect was already handled. this all
seems less than ideal, but it's the best we can do without mandating a
C11 compiler and using the C11 model for atomics.
in the case of pthread_once_t, the ABI type of the underlying object
is not volatile-qualified. so we are assuming that accessing the
object through a volatile-qualified lvalue via casts yields volatile
access semantics. the language of the C standard is somewhat unclear
on this matter, but this is an assumption the linux kernel also makes,
and seems to be the correct interpretation of the standard.
the character sequence '$((' was incorrectly interpreted as the
opening of arithmetic even within single-quoted contexts, thereby
suppressing the checks for bad characters after the closing quote.
presently bad character checking is only performed when the WRDE_NOCMD
is used; this patch only corrects checking in that case.
as a result of commit e8e4e56a8ce1f3d7e4a027ff5478f2f8ea70c46b,
the later code path for setting optarg to a null pointer is no longer
necessary, and removing it eliminates an indention level and arguably
makes the code more readable.
the standard getopt does not touch optarg unless processing an option
with an argument. however, programs using the GNU getopt API, which we
attempt to provide in getopt_long, expect optarg to be a null pointer
after processing an option without an argument.
before argument permutation support was added, such programs typically
detected its absence and used their own replacement getopt_long,
masking the discrepency in behavior.
in the current version of __synccall, the callback is always run, so
failure to handle this case did not matter. however, the upcoming
overhaul of __synccall will have failure cases, in which case the
callback does not run and errno is already set. the changes being
committed now are in preparation for that.
this addresses alpine linux issue #3692 and brings the syslog message
length limit in alignment with uclibc's implementation.
commit b72cd07f176b876aa51864d93aa8101477b1d732 added support for a
this feature in getopt, but it was later broken in the case where
getopt_long is used as a side effect of the changes made in commit
91184c4f16b143107fa9935edebe5d2b20bd70d8, which prevented the
underlying getopt call from seeing the leading '-' or '+' character in
this commit changes the logic in the getopt_long core to check for a
leading colon, possibly after the leading '-' or '+', without
depending on the latter having been skipped by the caller. a minor
incorrectness in the return value for one error condition in
getopt_long is also fixed when opterr has been set to zero but
optstring has no leading ':'.
based on patch by Dima Krasner, with minor improvements for code size.
connect can fail if there is no listening syslogd, in which case a
useless socket was kept open, preventing subsequent syslog call from
attempting to connect again.
based on discussion with and patches by Felix Janda. these changes
started as an effort to factor forkpty in terms of login_tty, which
returns an error and skips fd reassignment and closing if setting the
controlling terminal failed. the previous forkpty code was unable to
handle errors in the child, and did not attempt to; it just silently
ignored them. but this would have been unacceptable when switching to
using login_tty, since the child would start with the wrong stdin,
stdout, and stderr and thereby clobber the parent's files.
the new code uses the same technique as the posix_spawn implementation
to convey any possible error in the child to the parent so that the
parent can report failure to the caller. it is also safe against
thread cancellation and against signal delivery in the child prior to
the determination of success.
being a nonstandard function, this isn't strictly necessary, but it's
inexpensive and avoids unpleasant surprises. eventually I would like
all functions in libc to be safe against cancellation, either ignoring
it or acting on it cleanly.
not only is this semantically more correct; it also reduces code size
slightly by eliminating the need for the compiler to assume the
possibility of aliasing.
this is undocumented but possibly expected behavior of GNU
getopt_long, and useful when error message printing has been
some related changes are also made to getopt, and the return value of
getopt_long in the case of missing arguments is fixed.
if writing the error message fails, POSIX requires that ferror(stderr)
be set. and as a function that operates on a stdio stream, getopt is
required to lock the stream it uses, stderr.
fwrite calls are used instead of fprintf since there is a demand from
some users not to pull in heavy stdio machinery via getopt. this
mimics the original code using write.
if argv permutation is used, the option terminator "--" should be
moved before any skipped non-option arguments rather than being left
in the argv tail where the caller will see and interpret it.
this is an undocumented feature of GNU getopt_long that the BSD
version also mimics, and is reportedly needed by some programs.
in the case where an initial '+' was passed in optstring (a
getopt_long feature to suppress argv permutation), getopt would fail
to see a possible subsequent ':', resulting in incorrect handling of
the previous hard-coded offsets of +1 and +2 contained a hidden
assumption that the option character matched was single-byte, despite
this implementation of getopt attempting to support multibyte option
characters. this patch reworks the matching logic to leave the final
index pointing just past the matched character so that fixed offsets
can be used to check for ':'.
this is a GNU extension, activated by including '-' as the first
character of the options string, whereby non-option arguments are
processed as if they were arguments to an option character '\1' rather
than ending option processing.
Processing an option character with optional argument fails if the
option is last on the command line. This happens because the
if (optind >= argc) check runs first before testing for optional
The function originates from SunOS 4.x in which the null argument
is allowed. glibc also handles this case.
per the resolution of Austin Group issue #617, these are accepted for
XSI option in POSIX future and thus I'm treating them as standard
this function provides a way for third-party library code to use the
same logic that's used internally in libc for suppressing untrusted
input/state (e.g. the environment) when the application is running
with privleges elevated by the setuid or setgid bit or some other
mechanism. its semantics are intended to match the openbsd function by
the same name.
there was some question as to whether this function is necessary:
getauxval(AT_SECURE) was proposed as an alternative. however, this has
several drawbacks. the most obvious is that it asks programmers to be
aware of an implementation detail of ELF-based systems (the aux
vector) rather than simply the semantic predicate to be checked. and
trying to write a safe, reliable version of issetugid in terms of
getauxval is difficult. for example, early versions of the glibc
getauxval did not report ENOENT, which could lead to false negatives
if AT_SECURE was not present in the aux vector (this could probably
only happen when running on non-linux kernels under linux emulation,
since glibc does not support linux versions old enough to lack
AT_SECURE). as for musl, getauxval has always properly reported
errors, but prior to commit 7bece9c2095ee81f14b1088f6b0ba2f37fecb283,
the musl implementation did not emulate AT_SECURE if missing, which
would result in a false positive. since musl actually does partially
support kernels that lack AT_SECURE, this was problematic.
the intent is that library authors will use issetugid if its
availability is detected at build time, and only fall back to the
unreliable alternatives on systems that lack it.
patch by Brent Cook. commit message/rationale by Rich Felker.
this could happen on 2.4-series linux kernels that predate AT_SECURE
and possibly on other kernels that are emulating the linux syscall API
but not providing AT_SECURE in the aux vector at startup.
in principle applications should be checking errno anyway, but this
does not really work. to be secure, the caller would have to treat
ENOENT (indeterminate result) as possibly-suid and thereby disable
functionality in the typical non-suid usage case. and since glibc only
runs on kernels that provide AT_SECURE, applications written to the
glibc getauxval API might simply assume it succeeds.
this was previously a no-op, somewhat intentionally, because I failed
to understand that it only has an effect when sending to the logging
facility fails and thus is not the nuisance that it would be if always
sent output to the console.
this behavior is no longer valid in general, and was never necessary.
if the LOG_PERROR option is set, output to stderr could still succeed.
also, when the LOG_CONS option is added, it will need syslog to
proceed even if opening the log socket fails.
this is a nonstandard feature, but easy and inexpensive to add. since
the corresponding macro has always been defined in our syslog.h, it
makes sense to actually support it. applications may reasonably be
using the presence of the macro to assume that the feature is
the behavior of omitting the 'header' part of the log message does not
seem to be well-documented, but matches other implementations (at
least glibc) which have this option.
based on a patch by Clément Vasseur, but simplified using %n.
errno must be saved upon vsyslog entry, otherwise its value could be
changed by some libc function before reaching the %m handler in
contributed by Isaac Dunham. this seems to be the last interface that
was missing for complete POSIX 2008 base + XSI coverage.
this extension is not incompatible with the standard behavior of the
function, not expensive, and avoids requiring a replacement getopt
with full GNU extensions for a few important apps including busybox's
sed with the -i option.
On 32 bit mips the kernel uses -1UL/2 to mark RLIM_INFINITY (and
this is the definition in the userspace api), but since it is in
the middle of the valid range of limits and limits are often
compared with relational operators, various kernel side logic is
broken if larger than -1UL/2 limits are used. So we truncate the
limits to -1UL/2 in get/setrlimit and prlimit.
Even if the kernel side logic consistently treated -1UL/2 as greater
than any other limit value, there wouldn't be any clean workaround
that allowed using large limits:
* using -1UL/2 as RLIM_INFINITY in userspace would mean different
infinity value for get/setrlimt and prlimit (where infinity is always
-1ULL) and userspace logic could break easily (just like the kernel
is broken now) and more special case code would be needed for mips.
* translating -1UL/2 kernel side value to -1ULL in userspace would
mean that -1UL/2 limit cannot be set (eg. -1UL/2+1 had to be passed
to the kernel instead).
open is handled specially because it is used from so many places, in
so many variants (2 or 3 arguments, setting errno or not, and
cancellable or not). trying to do it as a function would not only
increase bloat, but would also risk subtle breakage.
this is the first step towards supporting "new" archs where linux
lacks "old" syscalls.
in a sense this implementation is incomplete since it doesn't provide
the HWCAP_* macros for use with AT_HWCAP, which is perhaps the most
important intended usage case for getauxval. they will be added at a
on x32, this change allows programs which use syscall() with pointers
or 64-bit values as arguments to work correctly, i.e. without
truncation or incorrect sign extension. on all other supported archs,
syscall_arg_t is defined as long, so this change is a no-op.
the incorrect error codes also made their way into errno when
__ptsname_r was called by plain ptsname, which reports errors via
errno rather than a return value.
the incorrect check for crossing device boundaries was preventing nftw
from traversing anything except the initially provided pathname.
our getcwd already (as an extension) supports allocation of a buffer
when the buffer argument is a null pointer, so there's no need to
duplicate the allocation logic in this wrapper function. duplicating
it is actually harmful in that it doubles the stack usage from
PATH_MAX to 2*PATH_MAX.
loop condition was incorrect and confusing and caused an infinite loop
when (broken) applications reaped the pid from a signal handler or
another thread before wordexp's call to waitpid could do so.
when WRDE_NOSPACE is returned, the we_wordv and we_wordc members must
be valid, because the interface contract allows them to return partial
in the case of zero results (due either to resource exhaustion or a
zero-word input) the we_wordv array still should contain a terminating
null pointer and the initial we_offs null pointers. this is impossible
on resource exhaustion, so a correct application must presumably check
for a null pointer in we_wordv; POSIX however seems to ignore the
issue. the previous code may have crashed under this situation.
avoid using exit status to determine if a shell error occurred, since
broken programs may install SIGCHLD handlers which reap all zombies,
including ones that don't belong to them. using clone and __WCLONE
does not seem to work for avoiding this problem since exec resets the
exit signal to SIGCHLD.
instead, the new code uses a dummy word at the beginning of the
shell's output, which is ignored, to determine whether the command was
executed successfully. this also fixes a corner case where a word
string containing zero words was interpreted as a single zero-length
word rather than no words at all. POSIX does not seem to require this
case to be supported anyway, though.
in addition, the new code uses the correct retry idiom for waitpid to
ensure that spurious STOP/CONT signals in the child and/or EINTR in
the parent do not prevent successful wait for the child, and blocks
signals in the child.