| Commit message (Expand) | Author | Age | Files | Lines |
|---|
| * | revert regression in faccessat AT_EACCESS robustness•••commit f9fb20b42da0e755d93de229a5a737d79a0e8f60 switched from using a
pipe for the result to conveying it via the child process exit status.
Alexander Monakov pointed out that the latter could fail if the
application is not expecting faccessat to produce a child and performs
a wait operation with __WCLONE or __WALL, and that it is not clear
whether it's guaranteed to work when SIGCHLD's disposition has been
set to SIG_IGN.
in addition, that commit introduced a bug that caused EACCES to be
produced instead of EBUSY due to an exit path that was overlooked when
the error channel was changed, and introduced a spurious retry loop
around the wait operation.
| Rich Felker | 2018-02-05 | 1 | -21/+14 |
| * | simplify faccessat AT_EACCESS path and eliminate resource dependence•••now that we're waiting for the exit status of the child process, the
result can be conveyed in the exit status rather than via a pipe.
since the error value might not fit in 7 bits, a table is used to
translate possible meaningful error values to small integers.
| Rich Felker | 2013-11-01 | 1 | -14/+21 |
| * | fix faccessat AT_EACCESS path not to leave zombie processes•••I mistakenly assumed that clone without a signal produced processes
that would not become zombies; however, waitpid with __WCLONE is
required to release their pids.
| Rich Felker | 2013-11-01 | 1 | -2/+6 |
| * | in faccessat slow path, add close-on-exec to pipe fds•••as usual, this is needed to avoid fd leaks. as a better solution, the
use of fds could possibly be replaced with mmap and a futex.
| Rich Felker | 2013-10-18 | 1 | -1/+1 |
| * | fix uid/gid-setting error in faccessat with AT_EACCESS flag•••this fixes an issue reported by Daniel Thau whereby faccessat with the
AT_EACCESS flag did not work in cases where the process is running
suid or sgid but without root privileges. per POSIX, when the process
does not have "appropriate privileges", setuid changes the euid, not
the real uid, and the target uid must be equal to the current real or
saved uid; if this condition is not met, EPERM results. this caused
the faccessat child process to fail.
using the setreuid syscall rather than setuid works. POSIX leaves it
unspecified whether setreuid can set the real user id to the effective
user id on processes without "appropriate privileges", but Linux
allows this; if it's not allowed, there would be no way for this
function to work.
| Rich Felker | 2013-10-12 | 1 | -2/+2 |
| * | fix missing return value warning in faccessat, minor cleanup•••clone will pass the return value of the start function to SYS_exit
anyway; there's no need to call the syscall directly.
| Rich Felker | 2013-08-31 | 1 | -1/+1 |
| * | block all signals, even implementation-internal ones, in faccessat child•••the child process's stack may be insufficient size to support a signal
frame, and there is no reason these signal handlers should run in the
child anyway.
| Rich Felker | 2013-08-09 | 1 | -1/+1 |
| * | fix faccessat to support AT_EACCESS flag•••this is another case of the kernel syscall failing to support flags
where it needs to, leading to horrible workarounds in userspace. this
time the workaround requires changing uid/gid, and that's not safe to
do in the current process. in the worst case, kernel resource limits
might prevent recovering the original values, and then there would be
no way to safely return. so, use the safe but horribly inefficient
alternative: forking. clone is used instead of fork to suppress
signals from the child.
fortunately this worst-case code is only needed when effective and
real ids mismatch, which mainly happens in suid programs.
| Rich Felker | 2013-08-03 | 1 | -1/+46 |
| * | global cleanup to use the new syscall interface | Rich Felker | 2011-03-20 | 1 | -1/+1 |
| * | initial check-in, version 0.5.0 | Rich Felker | 2011-02-12 | 1 | -0/+7 |
