From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-3.0 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL autolearn=ham autolearn_force=no version=3.4.2 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by inbox.vuxu.org (OpenSMTPD) with SMTP id db486849 for ; Wed, 22 Jan 2020 22:05:42 +0000 (UTC) Received: (qmail 3139 invoked by uid 550); 22 Jan 2020 22:05:40 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: musl@lists.openwall.com Received: (qmail 3121 invoked from network); 22 Jan 2020 22:05:40 -0000 Date: Wed, 22 Jan 2020 17:05:15 -0500 From: Rich Felker To: Paul Eggert Cc: Florian Weimer , musl@lists.openwall.com, 39236@debbugs.gnu.org Message-ID: <20200122220515.GH30412@brightrain.aerifal.cx> References: <20200122141557.GA8157@brightrain.aerifal.cx> <87ftg7k1at.fsf@oldenburg2.str.redhat.com> <20200122144243.GZ30412@brightrain.aerifal.cx> <87a76fjzpx.fsf@oldenburg2.str.redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Sender: Rich Felker Subject: Re: bug#39236: [musl] coreutils cp mishandles error return from lchmod On Wed, Jan 22, 2020 at 01:55:57PM -0800, Paul Eggert wrote: > On 1/22/20 7:08 AM, Florian Weimer wrote: > >I think you misread what I wrote: lchmod*always* returns ENOSYS. Even > >if the file is not a symbolic link. Likewise, fchmodat with > >AT_SYMLINK_NOFOLLOW *always* returns ENOTSUP. > > That's too bad, because coreutils (and many other applications, I > expect) assume that lchmod (and fchmodat with AT_SYMLINK_NOFOLLOW) > to act like chmod except not follow symlinks, in order to make it > less likely that the application will run afoul of a symlink race > and chmod the wrong file. Isn't that how the Linux fstatat call > behaves? And if so, why does glibc fstatat refuse to support this > behavior? I think you're confusing fchmodat with fstatat. The Linux fchmodat syscall lacks a flags argument and thus doesn't suffice to implement fchmodat. The fstatat syscall does work. > To work around this bug, I suppose coreutils etc. should do > something like the following: > > 1. Never use lchmod since the porting nightmare is bad enough without it. > > 2. On non-glibc systems (or glibc systems where the bug is fixed), > use fchmodat with AT_SYMLINK_NOFOLLOW. > > 3. On glibc systems with the bug, use openat with > AT_SYMLINK_NOFOLLOW and O_PATH, and then fchmod the resulting file > descriptor. > > Does this sound right? Or is there some O_PATH gotcha that I haven't > thought about? I think fchmod historically did not work on O_PATH file descriptors, which is why musl is using chmod on the procfs magic symlink. However, fchmodat might work too with an empty pathname; I'm not sure. I think these fixes are better encapsulated as a replacement for missing/broken fchmodat, rather than putting the logic in individual utilities or coreutils-specific library code. Also, note that if you want to skip checking stat to make sure you didn't open a symlink with O_PATH, that depends on confirming Florian's claim that the kernel documents it will not follow the symlink. > Come to think of it, perhaps the best thing would be to change > Gnulib's lchmod and fchmodat modules so that they do what > applications expect, even on buggy glibc systems. (Which would be > ironic, since Gnulib's main goal is to put wrappers around other > libraries so that they look more like glibc.) I think we're approaching a consensus that glibc should fix this too, so then it would just be gnulib matching the fix. Rich